5ea1fb400f4c14b19fbb4be1eecfa4a4dbc316163ac3d4990477f7f6a179f1cf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Size

1.8MB
MD5

041fe4779101e41b619ee0aec34c02a2
SHA1

1b4885ede973712665cbf783162fce1f6746eef9
SHA256

5ea1fb400f4c14b19fbb4be1eecfa4a4dbc316163ac3d4990477f7f6a179f1cf
SHA512

4bfd2c05e01d4b525f7629d76f058df9485c75d96ded922e1d2c91af59679f15662dad224bf04ac7e463aa5f76e9d86c4b03ccf3b427641e06dc2b827aad1bcf
SSDEEP

49152:GE19+ApwXk1QE1RzsEQPaxHNuDmg27RnWGj:L93wXmoKGD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3764	alg.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
2280	fxssvc.exe
2616	elevation_service.exe
3104	elevation_service.exe
2056	maintenanceservice.exe
212	msdtc.exe
3108	OSE.EXE
216	PerceptionSimulationService.exe
484	perfhost.exe
3288	locator.exe
4268	SensorDataService.exe
2172	snmptrap.exe
364	spectrum.exe
3472	ssh-agent.exe
2884	TieringEngineService.exe
836	AgentService.exe
4936	vds.exe
3648	vssvc.exe
3248	wbengine.exe
1488	WmiApSrv.exe
3740	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca91e4c2c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c8e8846f1adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003eaf6545f1adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022c09745f1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb564f46f1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000157f1846f1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090605745f1adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe
1516	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeAuditPrivilege	2280	fxssvc.exe
Token: SeRestorePrivilege	2884	TieringEngineService.exe
Token: SeManageVolumePrivilege	2884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	836	AgentService.exe
Token: SeBackupPrivilege	3648	vssvc.exe
Token: SeRestorePrivilege	3648	vssvc.exe
Token: SeAuditPrivilege	3648	vssvc.exe
Token: SeBackupPrivilege	3248	wbengine.exe
Token: SeRestorePrivilege	3248	wbengine.exe
Token: SeSecurityPrivilege	3248	wbengine.exe
Token: 33	3740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeDebugPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	4576	2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Token: SeDebugPrivilege	1516	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3740 wrote to memory of 1124	3740	SearchIndexer.exe	SearchProtocolHost.exe
PID 3740 wrote to memory of 1124	3740	SearchIndexer.exe	SearchProtocolHost.exe
PID 3740 wrote to memory of 4736	3740	SearchIndexer.exe	SearchFilterHost.exe
PID 3740 wrote to memory of 4736	3740	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:484

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1788

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1124

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
bac4b49b5be65b751017750d4f5ce2e3

SHA1
2345a801e9bf95558aedc2d6f0f67ec41d81e8a9

SHA256
1bd9911afbe6889c2fdb548f9304385e6e8d2ab3060940f6b167eea931b98c49

SHA512
39101de57285b51cd8d88ba311b889e6b6e944372b5c3c162f54c29a5e5f2af0956791dec0ccff08124038952fbe2746b3b15051d46a9bbb94d9160efdafb892

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
47860ef95331d73c1841ff17d6906a5f

SHA1
5d89c99a89ab45b6745b88426c83ecb5455fd4d4

SHA256
a2081a19f095351fd6c21017e9a3bdb38a47660564470712d28bd3d7c5ee22d5

SHA512
3060381489c21477d68bd3d1c2eb4457735ffb3645ebd581527543938f11a5a7a537fb755330409f31f4d15089309c5281495317048cb4661eec087e8b06d8c8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
780b2a243d6a05759d62828dceb21f99

SHA1
2c0581708029e2af154c2de2dcb2b653b433d839

SHA256
8394c6dd54dc72ff0b7757592894958debbaa7d2531f35640c9e3864c7d525ed

SHA512
09a50cbb3ed9de39addbdb516fa7eb3b7492bcf6fcc38956ede0e2179bb5afc00341d3ed7b069da2a684cfd1a81262c7d1d4416c0aec8e63f9c2fa1d6236025e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
58e720ab9f280646adf3c20a09b96630

SHA1
a46c16f87361a5139e46d1818ca09aa51278732b

SHA256
28312e5ee53a6b6cf99542f365743d39e429e241704b4afff7a3d515d0d88162

SHA512
3dd54bac9713a5d57406344653212dadf14acf74c4514f7fe33d4d8d058cdfaa4d1d67211eba1d745576ef0438ed5b20a3e0975ada5244f779ca1ebc4a177c54

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5d5088c0767631f30cfc39c2e6ce6136

SHA1
79502e96ace3399659a02881c84542de3bb2b30a

SHA256
89255f6649e0fb7759efa95519916b59c10ce0d08de6e22037e6d0f4e44cc2fb

SHA512
5527e9c9521ad78bc59344bf896421fdea3a655fa8c22ebd87bb8e3df2c0485fbe64fc156f1d3710538b1bb73a02febffa8f16f03cc6ca15e603db21b3e9d8c3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
a1d282c5d8a1b3de7671aca281b0b1ba

SHA1
7291afcc69872f8edfaca6e5ade4744245993732

SHA256
3d3e4cd0836105acf7b4bcfd803d7848ac77521d2463a6a48a7ad9002fef8763

SHA512
56451961f0e165fc825e3076c75bb58c4b0760556c7cb49dc8a5940b5bbf4cff71113758d1580275497799e2371fa71e78790722ee076e8072201249f7ac6922

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
457961699859f301a46323f8de7c1ed0

SHA1
e794651025d314cc9899f65e9e857f0e9d5e0960

SHA256
abf4aec7b367b54579699792dc486b859c559f0a2e402799d2a62e1ca9f06b0b

SHA512
e95493b55b9dd7989e3817a3389858ab7db90e823370e55f2e4a836d9b887183a2292dab7e1cc8f4cd338a581122cc18612695462a2f80ad7508e70d0114e104

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2ba59e319716f3cd99640ba717a9a76f

SHA1
ee9da699c3542bf6205bec4e732dcf73f58abe3f

SHA256
d89379d50ee458ec4e79aad6ea765d0c94ade766e82f4f37a5e723c17ab18511

SHA512
09fe1305b171dea6b2b5eacfb560c1475598340a26c23a0fa28a1df6cc87cdcdff089cdbbd5d444ef0c61b1e81edf5a1d144572252dfe73dd632ed61dbcf7fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
610eedbd2ca7b77b2d7dcc896af61d76

SHA1
a7b5c3f602ab5af7006d74ed12eee846999c9172

SHA256
acc0ee01df424473e1fbf190a381393f8c086f88fd9b710890188b27ffb11ef9

SHA512
4750aa6540445f13f7ef1de548e516a640220d3cbc817ba2a58b185a6b0c7e60969825dcf796c0bd9a76bae6bd11a90c05a7b0d38c8e20c64a30d1290347c0e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
dcbdbaef7c650e1f2f9c6775287702fb

SHA1
e9ebdc4d1edcafdfbc7175959dd0c2245d1bf390

SHA256
542d9d41ece39a623f916e7d687deac26f66800e3cc5dd24d274bcd322dedd0d

SHA512
95c57f10526a14b85f25fce880d2bda348096f3ab7517b3f1ca122a82e0443ef23e3ec074135ae2baa00d1ff13df862257c57d36601801895c5116c68d88ab63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5e0ad0639d1b2ea1c2608e99ed2c8faa

SHA1
c1bcab3326c784075f3251f591dab76d8069f41d

SHA256
7a75666694f68b333c7691674302045d7e3ab56396020d5f5c60ed8f56e1619c

SHA512
c374d07551bd58a327447219f4d0167effbb3b9b15df3015842172c3aa1be39d83991bab8644f6db4dc612ff2e854d910b3b61f52f0323bd421e16f936d92797

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
adfcd4e6ef6aeca5444e46bf2154096d

SHA1
7062d8fe2db3c8ccaf6f3624ecd5d819dd868fdb

SHA256
af6276e6100563963495ce078d47ed41c70b032ddbf31219f143218d3fb74224

SHA512
f14a0aaa5cec66610ac67fb77dbf8b5dc80f6698ade15df384198806963a1ebbc7d7d8250c70572de7599dacbc9aa6783d49a7dba58d25b105345d89490cbcaf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
5209f458cb4e8efe555118933f549227

SHA1
a8b826907a63a935ae53c38ba744538f874aed7d

SHA256
d722496d5c7967327beecb27bf46bf6e5d073db4af829bfc9ac69e5c14e704a9

SHA512
d5e7a93f2e6f019bafaa2d9916b4d9742e861f1b1de9686cc196eaf83d47cc3f698eb91498b3e168bee9fe2f48a6bd7224d3fd4f619fb682530a3b2f57a225f3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
e0cb421fb9ed0e47a2ce8c8a24bd0753

SHA1
28c6e1bb5a51a2619176f4c3679a18121d4eee15

SHA256
5af5d676a965093d8cc8bb8fcaf72bb64be624bcb97dcc862d5558bbd7e26fec

SHA512
9e26a11b31f0f2d398762a01efb334f867e17266e39eafe1de6ba141f51836031c32721f8d5fbe98b744c394a7356fa7963a74198735ac4ec3531d2603065bb9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
11ba2bddbc9ccd5ea00d9bea0681d9a5

SHA1
2c638a374652a33ae9196cdb07e62d83844182b2

SHA256
947443282f6d1df1d16d0bfe54aa5c5e8a367063ff4196507d22a1cade6ce63f

SHA512
5b96a6de921f2abc6673106f3f97015789aceeb4d94d9ff85af0d7cce7da47ff9639f6eada80f7b5b4878fbad1a79a97295799d7e6ac9e2a3fc60fdd24ee4987

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
566d96b529dbe0c597609f91caf66f76

SHA1
e2b59fd86eddb8b76f028773ffc2f8087ac6b152

SHA256
33412e9a1666dc27fa021b0a815af233b922d69ae773b1f794e474450d3f8555

SHA512
2f2a3c7250286723d8fe3efb8b9ede1b8e078d68206af457a2323e0d2e706d0eba3e801c81d9d62e19ecfaa10e1f4efb85272d0544219df0f9d81b27a71b9d7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0e5ee3789d1ded5d6b570960648f954c

SHA1
0cd0c48254c678851de4357371fb8358f35cbf22

SHA256
07655343ec426c5a38a9b611d5b53a2ad2aa04cb290789deb6d0ee47f0bee6a4

SHA512
75667427ca0f4d9858caf5f298163b550226bca48fbbaa5785274ac88b21e23e8f48a5e4c9fcea689795d0eb0edbfb5fa92085c10a6ff2197a549b86e046b7e8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
23ed2483720cf2210337530a60d385d8

SHA1
a3201218a03bfca2003c89a209ca2d5f4e3bd96c

SHA256
0a2250cc69568309874c28ba9e0e5e89c6b0a1f8366c62f3cfde7ae3416a98dd

SHA512
548aed6a3290bae53aa3bf9306088a3ed13b5147f157888dc4df3173219e21255db23f3fc0a2808d1fa6d0ad3a7eb00a5f34b9513b034ecd3ef0505b3998ca72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
060024e451c6792099af477af905e913

SHA1
b98d6c7eb830e19edcc09b885877d1cf00a8a684

SHA256
bef3ff22dbbd567a7b0e6d9f9813274a1065c86cc34b21b0c44fa13018dc0cca

SHA512
8cd95384ec134e888847952f5c0ab2161958008fbaa93205dbcde3c1e5a86610df216196608ff8eab483c9ce5a4611c50501029f00919475e384ffb6bea1e26d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
abbe590f029bc8afac7f87aa997c07a1

SHA1
53288b59985683d004946b97abe77a48d6b0eae2

SHA256
f89e9095289f95b68aafc60aaf2975ee6f280e4bb0ebe8045d72adb53915f496

SHA512
84c74f8c3e22934a9025478ae5c44f3f98bb9ca33954cc1c6f3ba29514774b64a6223c46a06ce441f0faba95bbac21a9ef5209ad0e5515ed78903dda7e8b4582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
1182db41d9a233bcd4b40b5ad6712bd2

SHA1
c210f58efd72990e0f283c6afdb27dad47f9b1b8

SHA256
e660190961f736ac5b99d20181bac91626eb599f6517b80f904d3ddd81fb7958

SHA512
ce044a6c75cc48d4436bf4b4398c4f93292c4a48df9147d39fe45c3870bff64694e79e8e3fd4d85687b50613d1ccae79abc0fcb9e5e181195e1825307179ea1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
5f1cb51d86ff6864571844bf5e2ca8ed

SHA1
233bfdb6173d3e42854f6c8ba6b76fc5f3091edd

SHA256
18e1c4f4389d2e6643d43b81647312e4d07396f444354c8ee63da4a4f2c762b8

SHA512
a271f1959c67b89c3df2a5e4ae127685e3f7ebf1671cdd383004afc0f332e2c31fa470ec85cf065ea882cfa9a65cc4a5c877275f2a669f1374784a99e06ed0b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1f408a8892aef5a9f66ffc6237eabb47

SHA1
250beeb680e6da58238c97cc5b8170075b0646d8

SHA256
ebc672df5049033b659ea119ae376f22a33b520843917624cd4c40d077931c98

SHA512
071d4d21bfde4786fa957703773e59f8d9871b4a80f8f01473b8886c7bf88fa6116d196e3c48982c7927a95e0c005cc60e5b3f1e60c4d63805f7447287721e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
8cdab8c2317ee4d4e6ab88221db3471e

SHA1
f608e5a1c70e579dbd9fd3d7da6e9359adf6d344

SHA256
bf082a685f599e33ad4f183f6cc8c287d2f0449e828f1b32de2a24c96936bfcd

SHA512
9a7c820b873f0f37b4d8073a08bd84bffa8f13b49e22cf43aacdc745dbe2c19843598b85ae6714dc161fc4c289bc462d9582a422806bd60fe548e31271f259d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
db4467b5655daf5e14915fb323b66275

SHA1
72efd63293d54ef4f53873ce12682e2d46f82392

SHA256
36a09c3069c8e12a7d7b45919b001bcf1a10557504c4881e45ca2152b27420bd

SHA512
31e2cc46eedc780471b382ca6e01e815792e3f8d32696f28f74d537f2c9b9a78173c2c5a282afb971733fdcb62a57cc171c07e4f8434df7202fdd2ab78b0ae71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ce5b5ffc8ec355937675011b888b9934

SHA1
1c1ac7e2a67925a5aac3507a81ae3ef5bbd7ed14

SHA256
12a7775140497d6cb1bae841b733ffbf8a98b77496def1fc124ef97d5421425a

SHA512
4e80cad384538a5742aa532aabf3b4d58684c99c3bf60f2c31a8df734b3f8354eb2c5274e124c6d7f66dee0fa225e0162eef71b2a6463d1fee6be318f66430b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
816060e504cc78d24550229cf7fa5096

SHA1
9cb87a924ccdb374b0251b48a5b0a3df734c222d

SHA256
bd3efb2f620f693ea2bf95c102d89d8ac0552e8bb5fa4591fb442a8f441d75e3

SHA512
3836313609b6bdad8be9055d833b2a0b9fa2c809836d173ca3c7d95fb5df0b28b215f02331ed500f8566306a65e30b190ad3d1482b2f170ef8bf236a40d60114

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
7881d1c1399349dbf80d76bc06ed6b34

SHA1
1f508a5952eae5f1599835fe2d05cccd6dad6b96

SHA256
c5539958c4fc14d95fc01b4e7dfdc317d1783800c65174e37fea5439fe10f1d5

SHA512
0aa3012cd505ebc75d1ac2bb5ebc928226809df344be46989c4f696b345c63819b7b014e6c345ca19f3e9acb6103cc1e4977cd707957bdc0d236011fb22200a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
77c0c58bc1e791c74bbc9785822630fb

SHA1
6aef9957a7af25a64b130269183ac9c7dc37a7bd

SHA256
ed38e8f95c12e3f18a1975edaa801680057a8bad4b23f4b87295682deb725f47

SHA512
282c3bb22802092019951129bedb281fef6eab2c64042532bbdbacf9174299eb7d26e0680bf49e6eff95cc5d66f2091174dbbc3eca695dfdc84fe4f3091c4590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c26ce6a93d29371907a60f61d777984b

SHA1
0edccc2eaeef9a03b798229e2e24906bd37f6da0

SHA256
aa047db4062578167e0a64c41c07c551dcb620ad9775ceb9b4bb71ef96bc774d

SHA512
3f7b7260d408c15e81d3d784b274b3fdae8cfb23d760c92166494a865ec0a21c62ee4ecaf9681de585638b958a2c149f7f0f4029b3fcfb275956fa8f54bb730f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
33cebc5aa90221dc0dd1865a1e4b5612

SHA1
a63a807b120976cfb250cf6e4c874da48f071744

SHA256
360799d91dbf4f6592b845dce1d0653def818640eb96dec98bd29c5844c7837b

SHA512
56ed3f087581a4d87685de432567e8322cb32967973f00b5430574b63b89c1fe9d32a29d9d4709c61b135a4f8400d71a40dde5b9c2c7e90a9c21a3c4543bf401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
51e5074fa09e723ee24de74596980a3a

SHA1
50935112d00bd1221504eeb8eb9607e6a31f52ff

SHA256
f69a1257b7488a4deef343ce4308bc44c30c0ac4c1625a585ace9708e0a463c0

SHA512
a77fc79c7fd29b26e39bc87f8355e602d4a69e286a4c0b7aab20fe558426ec133ebd9037deae0d67eb94283484f320bcd85a24d71e02ee73523aaaa280d6f26c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
55f05d9ee0b1ad12f3003e5e6b796c0f

SHA1
c1a954da51c22a73b7418066d0c1972ef40aa787

SHA256
1b11313f7e44c4e9c82c2d6cd9b3b31976e682defd2928a9a6d2b8e6d26b2924

SHA512
154b21af19ae895614803a519516d0558542e84747b778c66bbae78492162dcf719a1351452e68274bc02f74e34cedff106d83d79baad049f320782b4f2a640e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e3defd975b566363a821d0873e8706a0

SHA1
3faac3e5abb185d147676b5895a4d2461b0ef10b

SHA256
b9e96cccec4ed7e4cc9e11fbbbef9499cc7bfffb13b2ef55c1811a59af5e17b4

SHA512
d83341a878e50aed5d038de8d91f430f2950d84683e8e017eb1f25c84ab83777d0cee642013030dec9bdf373da4dad2a705fd6826e6c01853a1b3b3e7623d726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9e4019c74c813578d1cd33191f36b487

SHA1
3dab2d44b5b47cd2c548e664afdb42b3a1dd411c

SHA256
ef43684bdf8cd1c293e54db038940684756a0892a248d084e769340dd60de0b3

SHA512
53d4868969cbed187021fb321caef855a40c8bf80f906bd4616937dccc94a34ce83ebdc174bf158ce2a9b2d6cbd7dd2e76b28df7115324206f25aa3996226051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
0423bf923313026bd71124b279a31699

SHA1
20bd73b2f4fed199535e2576544fd429aa819185

SHA256
b68cd4f15f482e66253efbf23c3a288f2adbca23ca716dc49c89612402f9d971

SHA512
215408cbf47a826337006a6aa67ec8707900f76c5da598e3e044feef11b14dd58f81cd02404d1a0f68edd89a872aee1151584c76606a7c8ceb4d5fff62968bc5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f7397c8b49dca93f71a07a85a4fad4d4

SHA1
bf04db30d2477ff575dfdeb531d26c0a9976ba13

SHA256
bc262ab76420ed6d8bc7b0e974c85c84db955944e5fa9fa2c2c4acfe00f2f719

SHA512
33a4b891fd6dff1521c8d49cfdd8a11c8805bc4a5ecad3c85ba0620c1cd8f696e0c3625e4a2e41ddd657bf59383434439863788abac496ff9ed852d3130a7526

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a8437ee6f92e214f850bb1b0429ba0f1

SHA1
e8c66340f9abf8a0cf3dea581311320dfb886e2b

SHA256
4d60cfce2fa6e4fb50497592709f69af012dca929f0042bc1dc3b4a60d196cbb

SHA512
9cb8187908c6e3addaa962d13833008c6ba8bef128d39373060a5c0a2574c1c9b5b73940ab2d4dc08f4dbd461df526954540781beb71c3ae00962d7ad00c7d0f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
7d8cd953b3d61254bf9dece1df6edc71

SHA1
f0823f9b0804f6b536b4d8f930a355d9a5f6fad1

SHA256
7f693e2fc3a5839a7b9df5f277dfb6646f61899a5c81f2199230b767db52dc19

SHA512
4c5329c0fc9b4dd72a61c99af3e2ca4475d05058cf46a53392c829d0b397d96567da0d8a2fe6ff6d87c6f65f3d1fe756305cdb5dedd2f217b5a8a399fd706e94

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c2588bb8d583e25cbb0db3b997e4958d

SHA1
336fb51e3122764b8d5f32bc59ce4b2dc745252b

SHA256
266b63e900a2e2594560db0911e89fda151e5fdb4deaca83541028e4f76d626c

SHA512
ff3121746cb015fa792c98fb250870c0919bab11008ef314747cccf9a3bad83220409a7b1b8092a46e90b1e61c605c346d4a818cb1111f878db24290b4b87ab2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
290a0ea62d362cc3b9299affd37fd07e

SHA1
1cfac188de05b701cf5b48b02561cea4d9b45b64

SHA256
9548ceed6777d6b573830b5fd965d6c09539560c9e9dfe427be989d3dabf3b8c

SHA512
4b34eaec9d9fc7d4a9fc13ded4d02d44d4cf32e00afe915fa78cc54a54e32b080965ba2862155769f833724bce6d087ae9e40d6ebcf2169c16df8e9b60008e56

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2f7f6cd346aa240ee9679410f104d05e

SHA1
f5c119ba945437a2d0afe557ca6ebc6203d8f1f3

SHA256
7c541a52b4bd8b5f098d34a27952471c872d128d0d799b504a44e0866f3ffc20

SHA512
33e52acfc2e13534fe2efd41899b14cbf430a6d7328a902acd1ddab7a9767221384acd3a1ca5383f536714b0f5c4f6d5a630e95156e69c2bb68da642d7f4248d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
690e4106c2c32501258313a33bf0a131

SHA1
4da207b9a6e9746eb8f70af2b1b457949a0e228a

SHA256
618b070fcdbeb22340571a08c83010682215aa4fea6e55cec7a06a5e369a0397

SHA512
c4225dad777d8565e4ed82d2d218b3e786b08b3af159501b6946f966421a478f0b6be46206cf80e11b18883c1db4307cabcb553ffa07731cdc2daae8457428c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
874e56efb6e7a946ae11dbdb499e4e90

SHA1
d1f555bae9865f33de7ed6140eb227032bcde176

SHA256
d3c444095ca1ab8a32ae309ca6617d1a1fff5b3d18a8a518241f5fc14296d2e9

SHA512
55afc698bfc1bb0bb1664dbaf9bbd8fd88a47f19194fe76904484e7ce43f2aa7b04edf81cfc776d1f7b53ab58a02fd85ff9f4a01407d5ee7f9e4af4b2db2a9bf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
3b1426a301cdc4cf5ec2f002007b0588

SHA1
afd0f40f98a0494ff1fa5f0823aee02839e09063

SHA256
c22e41cdbab844908fdf9f908a771888780c32a8366e7803b80e5a6b6a05d05d

SHA512
dad8897169ba4b2b7543698b19639a0ea3be06ed01077d4caf731c63324316757d7c2d196308183c0aab1ebb18b154ba6d22fc8d8e43b1c5532a32d1ab6bcf5c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
59de9ed5add849ad8f1fcb08304b379f

SHA1
d7b5844fa8e880a21ee229040d8e362f27cbb26a

SHA256
422c8f769febc9996e206fbd24d1ad689903d1ffa936cd68324c705a6549883e

SHA512
3ebd3fbbc0b6b04c9fe6629beeb2ec1c0fd2df2da0ba4fc54d4906366e7ca894c07ac122a2e209a162082e585a8b526f46692546afd7a14a677a3cba1fca9766

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fa9e948725c005398ba76ce1ffe92046

SHA1
a1093cd5e6e9d21928427af45ed4a4b66a760f62

SHA256
8d0ff2e4c54a9b3c52491b8b88377b2617f5c45623b4a0d96d852c8908a23bad

SHA512
0214ab443b63d238c4aca633af22695ce718fdf146271eed21df913bc78b75948c48266d36598c3a49b8e591230713b7806918bf512f1dc317b57f3fcb3cd8ff

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
033043e3d24d0f7269a3cacefd057b49

SHA1
551d7e1c38fc261f2237743a9c2dda4e0c7a2591

SHA256
cc0a66d414877615458d13a6a88943473bf4cc04a40e3efcad7a1bb98a7e5f3a

SHA512
87782bcd01be44cc076c832eda1beaf11028ac84db8ad2eeb5a7faaf2f171a7cf42a7b3601c51bdf38e45d853261b01e5575f68e91402079773d96ef14edc592

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2208f531aea94cec38403e0a1cd213a4

SHA1
367b4443e156d1afcc8bc6eabf13ffe142d24a04

SHA256
101dc6ca1bd5782816dc85cbc71b1e7b102371ca53a23068551c76c3c4208802

SHA512
fb8d8fd994e6c683eae2de34fb0e674ec45759dde0720cc0810de8bbe7081e05566014567bf8a5c336f613e4b5fbef66aa3968713abad85b0923014592a9f821

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d8179ae6fb02e71314671e6864bc898d

SHA1
9b07254274bb6edbc7dd456a27f2726b98571c03

SHA256
47f99ba1bc37005f4fc5007f3012477ddf0548cf0abbd5b2fdc4fc08d5a225e5

SHA512
f3cf8e9f57bc13ed249e01d352dbc75da65e7fed443b991d6d863724975774ca9378638d4cbb2a41e8661378bf95f7daeb0c567c7c4aacb2838ae5e51bedb7fd

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
e9d3c677aa9a1bfb9eb96a49f000464a

SHA1
36d564f2b79e347fbe8023794e2a4e1adbca6597

SHA256
41205d7455df8193b0d25ea057f8b5d885d487c5f9f7d9b8f52e11f74017ef38

SHA512
3d3734103ce4d79ac21149f22a2ae8edce320d87ff143afb621ee324f500cceceba37531edcd986f2147a1ba7ef3ba71fe934de32bb7e380d3b68a41d0872ecb

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
d35ddbcd1bb79874c4578bcd8a55e5d4

SHA1
26de0ccb998d6fe59b388189c8e0a86089594e94

SHA256
d0a26f241fe5f369f1c18c06ae390c17a1aeb843663ca72845b1690b5e029144

SHA512
584219d4bd1f5d1ad03ab291990d795b056c107784d5550d34a3bfbd8e705ba39115da480ec1d3a310d39bafc9bd2315f30b4d68029143882427351905aad325

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
03c810e4f1744e5a95100af422c9af4d

SHA1
2f50479ed7595cc7ecdb52d97b831f66c06c756a

SHA256
426edb6bb7f0ad6763ad5361432a9ce42fdc16467ac6b97985a2c4b7f60f2c75

SHA512
38a68da32e66f402d85b9995167ea3de17cc2e49e79cfe6ff3dfc4d02894e609242e58e756faafe7a4a1f35d2c62649eae894014bb1492438bac0e0492f60aba

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
38d60816b78d67d429128465cd20ed30

SHA1
91237c810cf919416f567349364840fd72e8036c

SHA256
56f89d20512a094c29d30c883ec0962cf52ad7e80d231bef4b0f98bec3d681df

SHA512
549452c90f3e7c95f0336f8784684aedf3f6508c179dbbadd3f764b591eee13fb9f8280d641eae91d42ec2606868ff0dcc80e048e6fb1c657a3b1d8d0132501c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
4a9ac7b4ac82e45ef637efdc6295a8d4

SHA1
2e4b5796be1a123137228d8fdee1ce5e8c4eed5b

SHA256
1f487549d6952050a3a9c3199e2ea86446e437d48a8b26e7a83a02d5713e56bc

SHA512
2542dcff2ad5c67fc7981efe5f9e63f29911923f35e3e30c87c2acfb4c79cf4afb8007763b12e5053ee4ef05576d89248b559a935a668840658a22a246f9da0e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
39a272f10f7fda195c4597c21394e668

SHA1
26c2e3de209c356230c160d4d8b28a815fc8bfc4

SHA256
af57df52066bb589c2887488feaf39988f55c5d090655bd016efa37c11d41671

SHA512
9d95c251cc33d2585012bb25a532a68ad564dcf99467ee4a5e4ef72f2c86f352b03f7d432a279b422aba971a408a9c321754f03dd526bedfd4d35578b83cce36

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b3a4a6288458f6fb2493afcc4944417b

SHA1
06a447e51472ab620332cf9ee83a44639d5793a2

SHA256
387b2a04f91a28f8d9886aa75b0cb89a99055fd88d58f28083d98485da71f751

SHA512
67280edd5cfbb75149bb6267819bc49db4c8b646f6551cade7550a1e3051b587e4dc181c3b7b23eba9e9b4e39f9a8c4f20e995b2276760f0b5a4c8e5b92d9def

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
1a95f83e3d96b0091ca96792249e528a

SHA1
cc5a6dd76e8f3ec40aaa585a0b1f3f8873402719

SHA256
87508129c6a7eb80bbc0d401ac9b6c1bde0bfcfc09d5fe980e4b07381db2c20b

SHA512
4468c02315b6fdd88c0d481f9d15490109bd64277d75e18c92e18b672aa0f82e314b3bf17cdd15e6a971ebe3adc06aaa71bb2136cce4485f8feda48d5eaaec79

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
f6b66cee7509f8a9c560ccf352320948

SHA1
6a97c0a2b7adc50bc2f4f96b65c735633add92d8

SHA256
44ea38d8e1f4ad62f85b453d90da04cebd6cf1aad4f3d3d000fb16586f6c5727

SHA512
66f885ebb4ce48e05a4bb8b17856ce5712c9cec7a1e3a0c47481e19d8cbfbbc697706a79d30240fc719d5442b2a697e5536fae5b33f9dd1e1286ca281130cd44

Download Submit
memory/212-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/216-85-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/216-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/216-92-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/364-376-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/364-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/484-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/484-160-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/484-100-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/484-105-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/836-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/836-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1488-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1488-487-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1516-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1516-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1516-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1516-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1516-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2056-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2056-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2056-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2056-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2056-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2172-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2280-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2280-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2616-32-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2616-133-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2616-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2616-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2884-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2884-481-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3104-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3104-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3104-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3104-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3108-72-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3108-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3108-78-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3248-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3248-486-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3288-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3472-458-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3472-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3648-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3648-483-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3740-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3740-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3764-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3764-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4268-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4268-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4268-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4576-84-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4576-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4576-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4936-482-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download