690297249e2373d9583190f40ab5363a0b56bd30129c1c9313cf833084e48541

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Size

1.8MB
MD5

b0d4165ad5c9a7a0eb8f125d9176d00d
SHA1

396085a748d9aac52bfd4703baad2e4995dd45a9
SHA256

690297249e2373d9583190f40ab5363a0b56bd30129c1c9313cf833084e48541
SHA512

7ec009dde09d7540f56ed359a0c79e827c24ad43c68cefac2e504f858d2dbadcae3a2cae862d1c254d1d027d675f0b90c39fb9e543353921f8d43a8b5d11346a
SSDEEP

49152:1E19+ApwXk1QE1RzsEQPaxHNu55FVPsYdYGxc4Ubwn:293wXmoKG54IYGW4Ewn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3272	alg.exe
912	DiagnosticsHub.StandardCollector.Service.exe
2972	fxssvc.exe
4692	elevation_service.exe
2636	elevation_service.exe
1144	maintenanceservice.exe
1744	msdtc.exe
3236	OSE.EXE
1600	PerceptionSimulationService.exe
2380	perfhost.exe
3424	locator.exe
4816	SensorDataService.exe
3264	snmptrap.exe
3880	spectrum.exe
4144	ssh-agent.exe
4160	TieringEngineService.exe
4332	AgentService.exe
1140	vds.exe
3212	vssvc.exe
5064	wbengine.exe
2712	WmiApSrv.exe
4616	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4dd5741e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c44f048f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316f9a48f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000155ba648f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054c69449f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000233f6c49f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8ae3848f8adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2fc6548f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058d45e48f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aea3348f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeAuditPrivilege	2972	fxssvc.exe
Token: SeRestorePrivilege	4160	TieringEngineService.exe
Token: SeManageVolumePrivilege	4160	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4332	AgentService.exe
Token: SeBackupPrivilege	3212	vssvc.exe
Token: SeRestorePrivilege	3212	vssvc.exe
Token: SeAuditPrivilege	3212	vssvc.exe
Token: SeBackupPrivilege	5064	wbengine.exe
Token: SeRestorePrivilege	5064	wbengine.exe
Token: SeSecurityPrivilege	5064	wbengine.exe
Token: 33	4616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeDebugPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeDebugPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeDebugPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeDebugPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeDebugPrivilege	1004	2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
Token: SeDebugPrivilege	912	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4616 wrote to memory of 2628	4616	SearchIndexer.exe	SearchProtocolHost.exe
PID 4616 wrote to memory of 2628	4616	SearchIndexer.exe	SearchProtocolHost.exe
PID 4616 wrote to memory of 4120	4616	SearchIndexer.exe	SearchFilterHost.exe
PID 4616 wrote to memory of 4120	4616	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_b0d4165ad5c9a7a0eb8f125d9176d00d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4816

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3880

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2628

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
591e0f4f8fbbc15ac30bed9d1cd67206

SHA1
fe26ee06f560587f93ac8df6daf4704f9632b5ce

SHA256
1b8078aa1db048d191ca0cb844be0b22fba5ebafb308626505a24fc428db87b4

SHA512
8aa70e44fc90fcec310619404857071dd346bd94004afd32dbac560d23daa54d0696e2f2c27603bed8cff291d0341045f89d561007f85f1d8d5b2aae5f3c4d1e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
5e4e473002eb5fa719d408ffb0c389ab

SHA1
003d84d62a2984bc31207a52a8ce095997ebfb85

SHA256
e0d6cec6fb4551494abbb227c9470bb5ac27c7f072bec1e538feee2059ce186c

SHA512
617ca8703a702dcad6c78a2cfea0b2c5329603e0325e7a9617bf1aa3b080ebe012037f18dd40e44b032c3e719bd30309495524b49de7eccce9869ade7701f67c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
511b2abaa58b9f6ba8e7704d6022fcd0

SHA1
0cd7615a590a2499c6f1862f7d1f6c5a6515e09c

SHA256
2088030191d1c7e4b569b1af853e4c6956b7af29b250eb341bd9c8afbf499a77

SHA512
9cc07357dd0f0aa8d0e8275e0963a80e9fe1217988b055aa426f59f0ddec2f3f8a368111b0a04def0f2b44a9323e68665b46cf0aac4709d4f53c408c0606f415

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
934a7197bf3d740cce11d647d087df4f

SHA1
2961b605b5a2dfaa28ff154b8b7e3a5fc8e4e20e

SHA256
74fcae8660e1139219ed8a7727ad3347af857fdba688b64dd2daad4e384d7aef

SHA512
d22dbe5492b3962c5255a8187bfa13666db18899933b6eda01345effda832bbccf3fdbf48e7dfeb3a60f56dd9564a7589d26d195bf9c8bcd9c9223feb75cc8c6

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
bd1aa480a836d6f07bda32930aed9f42

SHA1
d75a0b9a947438b122a19782f26d54122ce33c03

SHA256
b7d01f5c7e6c10eec873a5ad1b4979940a841623ff558f298464aed520ff6f79

SHA512
1d3c6c1002a5a55eed4565127a96d1f8dc0c3601df8391a672316b0bc764621e3d9623da73cc0e58ba9dfa8e40c799e52a5aa22d77f9c2ba7d08829cf13ff5f8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
235c793e80632335ae9f5d31cdc37e49

SHA1
818920c8444edc23525aa7c8424df19b4eb12c42

SHA256
b3b678994cabe4f079be628939f8f0332de15f33fd845b23eb18081e5ab931cc

SHA512
765bdd4cb8ef6e3efe326661250658d8305e3ce4f09d97d915aba263535b6e3a3cd2f216e13a62a26ffc66735cffdd0ef83fdfa6b6838e2fbddd09bc42355efe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
3d680738354a25a513b29128bab38f53

SHA1
26bbda3cb40de3d5a98150d0ce812e32acb8a67e

SHA256
22a8381a5e509505006fd201819b4a309c097ed56ab1eade8be6e9312ec9c6fb

SHA512
6c43b64bc35cf6c0baddec604d9c00b77941c2d29428ebba97b1438bf41fe73011104d97ed425a839f7a9af2abc33144fec4e0e2ab393676c85c540c6f8f67d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9a842ac76e07ff6589c1a942a03506dc

SHA1
21737daf41343787b171aaa828e49a6679e8ba2b

SHA256
91a0f22e36b04232c1c96adee1f6526e0a41598043ba7aaeeecb79636096015d

SHA512
6f88a0e987afab8e046d7e7c03eea5755a75fdf35043a1e21e8879306262421b74a60195badc32d79b6a59095fb33a08de34a7251d01c4f7b5b6e98846b8fc01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
1eef8caf59cfd869b2ec4295127112fe

SHA1
4beaf425d610d612ff603026a0e92c994a1a77b2

SHA256
7cc249162edd3b596f0e72003fbef90468b337137d3780f909002c4f93e2f09c

SHA512
573fe54dfc6fc07e21344d17a8c97f2a309988c97b6885e22e2ac6b1128f29f2cf010c842e347abb1be767fa1af2ab59c75c19f31c4843db685908f52df87193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4d9606d3ad15d8f79798097f33c06ed7

SHA1
3c0712f30adbfae69b13e3ff0df77a4e24631c4d

SHA256
e8d7641f5af68edb7c901c325b7a3d74459bfd8c910fe1a182bf9f186a01324a

SHA512
6b7907c217beaa8d33e71df32907995ba90b7c9df4fd300d176f2d62e2fdfc523ee50394fd4466af38affa3a86fbc3fd6d4ac4d7c489a2ba1f808f84be3455b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
74680dab4efcc282280138f1a7566027

SHA1
fe6350ac0a2bd9ab200011106ea5974c3a6771e4

SHA256
2312891e0b086222984fca4f485812f4441edb291e69f445a1cb243624f7211c

SHA512
b36bed65bd7e7802e348cf96985f5f3fb65ee009f25f932a3c1ee87454e2a2cbedecbaa2f949b261c2422d7a1c268d1c4a5d36b67871edb78ccde02ca3b9a3f2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
73903cbaa4456d326a5bb96185d69401

SHA1
88088a017361808c1e03425cd3c415956d849603

SHA256
c9f3568be2f3785f7a48365a5f87e7ad77914f059590b794c1aa682790885867

SHA512
2a3edb4b8954bdc903dd423e3c76df96425c34d4614c5e07a81f686005b0aa2d784a4e7a91ce11544285f84528ba1fe4e36fcb50386dc29df3759d5dfd6a5007

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
86e9bde10632afdfa9124b2187452f78

SHA1
7eecc0b2ddb425e83c50dd4abce2b1cab8b0edaf

SHA256
fc910f100ef2a7cb8604923969c81d5abadb15eb78d0216fece5c1b9015c0a28

SHA512
6d2577e787405331d99169370c200aa525dd0b021cfca95f4898f665f191713aa3f0f95d74140196a910948659a000b19637757b78cc74625d0bd7f8aeead3a0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
0ec57ec6e8bbcff1fcf1720b7a696326

SHA1
8c4d7f55280a4af390286173b787fb70b18371ea

SHA256
0e3156ec2f0f6ccf28b580639b0338fba655b44e436a4fa50cde931bf79e8882

SHA512
62c4d867cd4c5921e42a9d2df8274f4d28643c7c037211a2d2aa576d22759c9f9560e7665d3484bf370792480ba9cfd99bc05ecd9d8734f4235a14e9a07bb0cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2d9e69928371c3d58c24749a3989e9f6

SHA1
cdbccd3ce3bd0a2501d9cf76c1ecf3ab11f361d4

SHA256
9e195c291f5bf1e6d793ba96d2d2ab6c612ac64731296588a81d2eceda74327f

SHA512
fd22639707bc77a2fc1c59b2546912ab229be325c7dc9242b833504c4ffca09cf9c14451c8d206908063c5525479497be1ebf8b531a1a4798c725c49c00f4b0f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
d65ed2e20fc39b77db24e9961d85ec7a

SHA1
567c3e14b0396139393fa5564efc907da45af883

SHA256
e03e8972f10869b04c0179ac4a76d078972a58d1649194c03ad7fd2334dabc32

SHA512
98a567377818c6b73173243744f89f15fcb00433a247d372c4bc4a990ee3dda744c191536346493d79fca4eced8c216751e21288e65cbf86da1dfb59ef91a44b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
10f7b4f4e58dae84e03c444a2a1d1810

SHA1
516a7052b7aef1274398edc336e76f8108d8be05

SHA256
c7f3cc75b0c51fae59c666831bb138653dc6f3cc122ebd8362da83c51b9cae7a

SHA512
b2daed29da888fc77986ae4bd28e4fd4095ecbc02bc4b94e1aa91642f0a4d854ecea74c7d9c03d53eb6c7cfc1baaf0d84f0a36c8adc1e33255c2972e276696b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c625cb8e5acb939bcd90020ee6339e8a

SHA1
6a934d56b6d685f95509f52bfa52c77b153edb15

SHA256
a54006d2d348bdff782dfe59c47fa27c72c0e4b10a499c2534ef34e37a6b621f

SHA512
8601260d2d1b94ef87054a3825e817b7b7fc3168e25857e9c7ddfb75ea51f4e6fb7306f2c3be837459c5dd2442bc2d102eb7099aa4cf3aaed6cb1dfc237e50d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d8cc68ffe0e3aba1bfe03e476d2c6b4d

SHA1
e823493eda2edf82d2611372afc2c7e076b908db

SHA256
2018a0154e5515b82beead07c4cec26f8bf824203401a5ef22836706faa03119

SHA512
a185789f90034fa582c51c0e55dbdcf2f9cb0479180146dc3d9e883141eb2fa5b06f59d1a607822a274fb24765f58f38abf841fd473d6cb61ad31be38076a71d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1a4721ab75b094831e01a2d3d253a79a

SHA1
827b8425b2fc992b5918c571e6c20673f4bf9e6f

SHA256
9f64305e911e74b7e5a3f01c86b2330df8e7713214aa04dabd40c070a9185715

SHA512
666fde9d80db8b404d9b928fa95296701ced3bef55b369a82d9d676573925dae3cc5e9b239f17b39f8f9e13eb95dbfd6db575b4f51353c0463012df145918477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
6260ef1e679ffe1f53ce9076d85249da

SHA1
c61f23a7116dcde370af22561ef5b724c230050f

SHA256
41949f73dfe8ba8717d58861e41269ef0328dadc306b3d4ad151e55664441e55

SHA512
d4839f63f8ab9f41fd790dfa2422affbb8066f27b8d00ab7841579ad71c26ca52407f8009b2026097201c7e3490d16c5a7ef3e4434081f5e911d355e3072eced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
f75e5c0e4fc7314ae74d06276f4d9ec2

SHA1
8a46eaa1992d93fd89de066ddcc7c68d657ae422

SHA256
0bdb210efd0a5a893c2c71537c591344d2083052e227aa2b0a058227fbe24560

SHA512
489f740202e68d6194c6222be951927b8bde6c83fc5a6a9224cb51c9bf2002b83c92bdd04dca2e56e05e5468cdab9af9ab99e99d7d230dc956524343ee0d7a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
6a6669996a89b83e0ec7911a7c958d8f

SHA1
0bdf5c2eadfb4df7db804d27b4d448d8e76dd2f5

SHA256
34d55a54a4cb2641bc63148d29cac4f7f08753a7cc25f7b1d588700df1096de1

SHA512
eadd42ab5f84a0ad1909ac2ea4502e248e95e1b5aededdc4665d1d8c105fe144f47d3a29f4d30113b4342d20cdd471bbea48f692a8ac145e0dc3ad95d4a5e0b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
66abfce43c37daab2aa69529775793cb

SHA1
27ab8ea108422cb6f5d05e150ae3b4d65e9365be

SHA256
011a1e9b96f0607ac13decb8d4baa32f6f3c0f64e39bd24ac8a862836f4b67be

SHA512
b98e1b819b9eca7a973ed89b2de520aa289c2518b630d802386d771ee511e5c8ba5b148c3849cacee8a0c42dfddbcc064a63b7bcc95d924f0452ac46f3bbbc74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
342bb8b639b1ba23bfdae40740ee3ae9

SHA1
0782a7480393a0857804347c3b3c838eebf93e57

SHA256
128cd059e404fb1f8c7da75f7d711852c6f029f0fcf510d5408fb6e53de6d324

SHA512
ab19dd3d80af99ae98cd6ffddc2f458ae52b2b7a1c9183e42e8bec171447c3290073a8768170bc3e687eba6de93c5cfc765a2107489f7c5380c8d8971ed9d8d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
3f8f23568459d0b0e0162a181bfd835a

SHA1
944610482d08e4fa36596afac629f9fd3700645a

SHA256
94cdc2e0d8863c7121729fd395fef878e28843b1b3b09f917d03e969dc42e50c

SHA512
04ec071ca3d820ed2bc689dde98a130bf7292d5f956231d577a74de40664e239003445225b337df84f97d9781ad4f0580410b7ec0ab451bfc4c0873e26960af5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
66ac79c93dcce7151fab6aba0f1902a1

SHA1
bf0934afea3dc51bdb110d5f892bd3665d0222f9

SHA256
8866e0079bd586aca883328def3fe6c2ec8c02cbd5663c93a42994b6cfec3ed6

SHA512
c464fb2c9cd2f1fc6f7ff3f9e2d1d7c5b6c3c981fa3413ea2829faf00f1a478f7bb9eb2ed6ce55e6b19f5d948c53946187562d6ab1ba5573b22e345d00a0a59f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
f64045aaad6675e24b8d1281541e9814

SHA1
da222e01206351defcfa844585aa83e9f13ee168

SHA256
9265bf361740d9706b2e8998d4dec3b923dc186e05b46731f3a31f2d23fbb0aa

SHA512
7cfe3332f8b3adc179f9d1c1b8d69326ee71003804c4d4457f6e50d85a98dc2b3731d81067018fdceb4810313bd6316abdedc0193e731adda1ce8aec00953438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
1f1e9d0f6867ae070024953afeb3dd5e

SHA1
ae4c23734cbf032fcef2a7799233b5e1aad55cfb

SHA256
2fc658d4ed0267f91b705a08850d2c3fd5fe8f2ab5d1d2b9c8a39ddaaf20826c

SHA512
e579fd82fac8167bc030f751b0153565a8255fa69834455b2aa3443631113afb31e00470fe8882bd5c5c705a4b1d0fc0215802cd3da7a90ae3b990bdcede2007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
41fca23c8315a2cbb24136c1a2d16bdc

SHA1
93658b9dd34c70f51d03bcb8a35564e216e4036e

SHA256
1a8ffed5c10ef16808ff887e06fb7b93a397a60e325944369eb6115591caae24

SHA512
bf803d015d9b74eb0fb8561d25d7dcdd514b7d85e8aaf233ee8aafc2fa820d316d4858d97b41c9c45ae80c89c6d749cfeb682e2a9ef4021d92343ae1a11a6db9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
2327ebe219ee2751cf82a86d95e650f1

SHA1
ee1fa1966ea88153fc1cc67a974d8c1bf8246522

SHA256
5ecc9e475ba490c0e4724263e8a0265b9ef4d6c3dc1bd9326c3fb639fac330c2

SHA512
af51780a77b9402a8d518829ba20295cc074cfd3c0b14f5266f25315a97fb8949a8e338da410491427f6f3b6cd6c7adf7f43d1fec1fa1583bf7221ad4feaf9c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
c15344391e454f52bdcaaab4568738aa

SHA1
926ff9009aa0fac93d681147cd011315f757335f

SHA256
61747be2125532ffc47acc2f61c75320777112766c38fae796daaa90a00bc415

SHA512
316e23fea4b94d7821a657389399fe1e7a74fa46f61bdfa703bb9d1ac7f08194748649a69938de3f00c1c6a47baa8a8d4e4e00e623f1c889fe9f1a186daa7287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
f0a8b4144466121a0f38cd689b5cfb1b

SHA1
b8e2dc9b8bd470a3f071704ce81f3c73d84de40b

SHA256
78fcc472ef3dd1f12e5e0bf8c5647bb7cd0e3c9d9bc8a94629c887e238f18c3c

SHA512
6d3cbadbae3383f6ac6f8d8f82a789e82c917cc9fe069c474520efea4444b309acaffa6aaf33fb7bae28333fa5aa4488d014d418801fdea6011b6c0ddcb1be71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
0852b48ba0778c3bc67284ace7addfcb

SHA1
e5a4a8a694b5e9ca2e21a121a34df97b6227cd52

SHA256
e03c602b2548b65240c031fbce1173e91c16e1cffaa316d4b9dcab8cc2caf09f

SHA512
c2f1f5fc902d3c8689988d8e258654bff39ae10059099447329b4ece479466670ecdc0b381052b6b5e0ab4ec1a586c2504fd45e0d51e096ebecce8a42e71acb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
faeebe78bfd6b012ec50756e3f9d6953

SHA1
e020af2c6bf3672bd3da81a609bfc685b0ddcafb

SHA256
2b76e78cb47efadd278447b2c92f5c0ad051d10ce8089310600131774b03f142

SHA512
b659560c6e95694100f00ab3e69a7f1bf3821f03051a6ac188ed27b0bdfd1334c793a424511a58804939d05d8e64251d793507a44700dc3013354ad3ad5bcb18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
79226a66ec1a717847dd33b6ce548804

SHA1
12605aea9ebdd6483cedecd54303cb14a3b45c13

SHA256
c28ca8a3f37a15760d740488c0c9dd2da05ab477e4cf09325926d1da27a4ab8f

SHA512
8e64ad4c35c16433c8c6a9c0708afe43cedea6b13c0720887b980626a7330195931c5df180a92a6932f2d831a57afcc8d95e8521b4f5ebb2a1a2b94ef7240a54

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0f1c9ce464ce4bc8e9b3a7d5faf93f72

SHA1
56eb84d7ccebc1924d8c63c0698f0f8374ec5fb2

SHA256
0424a3389eeecc284d18438b8ac2a91400f9b1588f6b83b6625c67369b09fdb3

SHA512
8e0a12f709f5b98e75087331197d7f2d0da4cec50d4121ecfec7fb98b2f24d723ec2ab58b60943a400ec67bf91085d7899f91fee4a6823c83d4e8485d17b4147

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
0e2d6280679a78ae927207e05604ce52

SHA1
5c4168872471ff1959e482996b909ab6cab73442

SHA256
672284980c52f463fcef4c065abdc60fcb1868b0a7311d6a4b01d4f6524ae480

SHA512
aa302273b534edf8620ebe2ddfc426553841b3422b214dc59241ee904b0803e37aec0f1432fb6310ecc7b55ad50b1cebd2a982d921361ccae8b3c24533bfc494

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
b00ae440161dca05cdd25e48bf6fd8b4

SHA1
1a971b3ac4a2f53a2ba3039ca470ba35120565fd

SHA256
0365945aaff432b256c0c007e5b409c5b0f480f41b9b3640138646caa0fbd52c

SHA512
74033d9e475ed8cb3b607e46a0a1f975fef7348eaa8909e65dfe90831268907e37da9cab3366132607eb28bd7dc0d1e17f8228b6d7deb29fa48f6654236c7b52

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d434c249199010ed1ddd3fadb244d91a

SHA1
7acbffcf5862acc0ca76daf539aa94cf9e511eca

SHA256
c9a8235b7cb71af46b04a7b4ec531f5eb6d5151152b6a990fd8a027207dc6d7c

SHA512
252466288767f3fb987bca8d16271cd0128b2b556f62b78955280bb3e864ed71354e7acaf068639ce0aec16cf9e206c6a80b9743c56569e103db9aaedec4b3df

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
013ecbe98d368c02382bed457d684427

SHA1
eb3e3648f44481ab32d2e3730e6a98f08cf0dbcf

SHA256
6ee470245d12dfa4ff814b6474eabe75a9034505a63928c46054f48153f97b3b

SHA512
e06eb4971c0314153a2464697be245da3814a0f58a2c76472d06a330b83f853b125c36d3222be78b6561445b6f2ba2db2d189e427cd142cf2b47af2800715513

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
05d10963b32f377c343a453ff00b6265

SHA1
06033a48be734fac77a5e6570d2f84de6200172c

SHA256
9787221eb0ce0ad8f2c92453ce8cb1aed0567181a6afbc1958b9c9b0a04708e5

SHA512
802b0b8af19e84cb4a4a4e0ebf6fcfaf8b05b6f98f74db8d0b447396fb8491bbc0699ae7d86b8157e4e57e3bf3154eb4220ce2dc59f8a6700470bf008189d28d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
0c3f51e93dc50778f1e37d0c7bd04514

SHA1
5672227779047679f2a6f628b21d64ba08851abd

SHA256
279f842ce8d9ec06a317f199c352eb06019ecc6fdb05eabd56f99c9e6a6e6b66

SHA512
4b6db0b53d825e5d7f0632d291004afccfa9fcd469716217948e3961a1b5e69427489f8dd9c8cf394d5df8d755722dcbc6b5e735e1aa4bfc2a0d090e7190a5c7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
709eee48e228dd92acab4688cdf40f15

SHA1
897043151d47903dd08dc928cac3a5713b313dd2

SHA256
c8d8805ff1d602d65bb9f0162e88e750ca13acf79dfc561cc7423dfb28b363db

SHA512
a4b6edb8e00861530da89cac39101b81f8962aea954d7903ef89c81c7fb2ad59ab45f48da61b5293551cea07e6a11661573478b5bdcd69eaec5e36628bf9dd8c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
e1daf6d4073a8465b4d2c7f652e8f39f

SHA1
601811dadbbc70540e2c9e9f488065ad289d2c12

SHA256
27067ac64aab03450c939d5bca72f458ab17f44dd17fa2b45299fe1fcc3c67fd

SHA512
5365c4ad0e87f9475cd56fc83bb73f27fd4fe618b1176c50e825ba662d7c7356a2a6a4f380cbe85d1a3e609e418fc7def586cfbe7a0dc59becf26bad6d1de582

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4887b39cdd43df0b7cd53ce6dd41f845

SHA1
b0607416d22fb898f6b942e1ce359c92c8c111c2

SHA256
b4a94761561120a8804d937597606379b2be0b2ae4467ec15948e146c83cd3c9

SHA512
f9877657c1b0b536b80b59d92f58e4e36eb9afedc587ca86f0832b1a75f4546e78778e6d86c0e5e48bea99d4c16ee4b3e2247cd0de1f0b784c87f8b9530752d8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
23b44fe8c0dcf16918e263177fb39ca1

SHA1
2f14a3acec2c0fb3da379220076624615c3ee8b9

SHA256
68f9fe6f6bcac311c9725f5aaa9c9404f6d92771ad79273d150a9dc189e00667

SHA512
3ca937636524f92670757a01af79ba708e9c40c91fdb2ee0139f6d788b204d72fb41a0e277c6a699f9f21f405d247e6971aed952db26ab43879b60a452c43b5f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1062cfc27ae24a0e46f3826f92d55d42

SHA1
4f5a01eebe7ac52a9e0566b9f91e640d4b32d206

SHA256
f9f9ec6d384f7f20228c6a3613d3f840d8ac20cddb73a1eacb7d554b9cecec10

SHA512
0e88222a52d2ef92653ce274eee8e3274b9a92571e6f18b623dcb159b6ca46933cbd407cdc00b840c7c2b69121fff8a9e3cb056018c50c005d20092065d5f8db

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
a3d63a76f5fc040b2296d81df04b9f8d

SHA1
846a58d896d008277e445e9d0aa01e2cddb66dee

SHA256
f1b75090d269cc6576c9f36e853edabe4bf523955001ac428257c0c70dd47dee

SHA512
f06d493bff9d6fc31d7645a290dddfae4a2912458fd0b301b998ee9abd60fe40d90d38a53ff2eede17dc841686cbceebaabe63d0d31de689b9f51a46c6cb13b7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
705fe619d3c693148ccd364fb84e97b5

SHA1
16e2c3966848192d0e700d46e785ef13e65cfbbb

SHA256
1b457e821f7ecc80545d9b46c5da5cbab5e78aabd24507e4e5dc713056dee12f

SHA512
221ea98057e39dd1ceb294511802bb40d6cf5f6293b00873ba40ee230eed95ec34ee63f9b3befe351243255b5cc234a0258f5eeb2f43cbf0af9d5ba461289d48

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
0b9998c282d5e2288da802d905b80c00

SHA1
d5c93ac8b9da02bb589ef112fce098db6e6557b5

SHA256
2c94beb8dd6532f4a699b8036016cace4204a33f0de7232796ad7fa136c849a5

SHA512
b8fa26332e500a974880d786358efc014e235b69d39f9486bc08b3903bee59189dc15a4746c94785d00a1b90e1567832d02ee18f602010faa2b084ec0159dc09

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
d58c4ab3b97d68c8cf7bfcb6211a0423

SHA1
5bcab8c0108144f8dc4d592dbfe1817d864349e1

SHA256
5c631b3372861b8f07b9fda3898426532e9e04d2db1dfd8999b7c6888ad6bfad

SHA512
5b562182f4cb9f706f2a3fb62774dd5aaa47b0ba0f4bc16183762df129f3a00d481d5ffcd0351d04ca5122787b9ea2684501da4f24c477f5c94740c4ba210262

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
179b39fa2ea224b42ef50f327cc8b26d

SHA1
f5bd2f67af42293ee426122e6146c55624a8c58c

SHA256
1b969c25b46b546e4214ae6b006be69e4e7a173268f9f79a1180b4bd79e49958

SHA512
f88a232d0236282f4547b23d92519e23843475e93141ef19a2394bc1cdb041d12ccf53efdd9118d0640fee43d35cf36cb4843bbb6a6ebb93869f86b10e83a352

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
70668e21586e6ce5c519e89c1f9fd71c

SHA1
79c322088dd93d8ea3822a81abab184302430713

SHA256
5c9e0d901653fcdaa9d68303d228cd41601a9c5e50a6d84f114f0cfcf818fcac

SHA512
baa110e4d1945fb8178fa674ecc3b6a0a2d4af5529ea9c14b283f897dd8aceaee130624de7c33aac58af9836c2148d37d57007382c914f1d03f1200d699f2473

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
d3f3e331586806a925cc63ed566544fb

SHA1
7926062ea875458c4e493e8a2891483e4a0b65f7

SHA256
6d6ebaa2411d9083eae03754ba06c30bf336865e80b19e43ed3fb5247f9b5d68

SHA512
15da8bf04da3324a018105079d12c8a56cdc51615608c74d9197920db7aef162b972a6dc69bb81f2af745f0cbcbd095a353a1548ccd5e11d4a6ec08727662481

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ac4c54203ffb8198d0964d9e7dbb939e

SHA1
2fe9f313654e3386dc34e4ced0e5c52b579f0512

SHA256
415cf905aa97528745fea0cbc013bf3f570276e409d6b12c75d2f687230d3fa6

SHA512
3714740766acc19e75660fed0e97fb485f654df20f6c9810edf9a77aba1f153ca318220e8a9d8634e13114cb44cbc42b9cb964c19d50ff9549349eaa781da7dc

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bd869701079d7c91d1fe59fae9a28859

SHA1
c9b3bb486af729a7a926730ea9871d1d84fc43e7

SHA256
44473036c0874a30c52640d68960219dd994f219618e13d2da4560b9dd18611e

SHA512
b734875e5f861b0d0164c2a96311548e48b5dd4a8e90246d43f5c63265b79cedf43f7cca39bdf2155a66f7974924b3414f9d7a43f9daee9bb42cd27b179e460a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
9ae1a077aedd5ef5ea98906c576b254b

SHA1
36ec1d9c91a1c4d538afcefa060ed0896a034d34

SHA256
976d2badd82250bd5f97876b5bdd2371ae852d8435dc3eb393623c25b5ad1db2

SHA512
02eeb280d9ee2be6a1e792341c493075542e9adae0e8cfe182e0f994bf17aae8dd47ef4de2a8ffe1cdaa65ad79762767c0c057e10b1649d3d0b40536ba98ee4d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
4fa619a43bb65baf98da5d4385214d36

SHA1
d864e91e6fee7287606cab2255ca3e256e9ea604

SHA256
9f2fa89d33f1fd0931245ab925d4482610f877dc8f2fb15c11346aef5bdb8e31

SHA512
48c55d2aa200670542659d6c8bf508bf301a3dfaff6844e1d35d5c46c45457e9df3a0880935d29372a215e26f89094a35ba24127602b468d785f9c8ee2a58575

Download Submit
memory/912-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/912-15-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/912-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/912-112-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1004-79-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1004-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1004-7-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1004-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1140-416-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1140-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1144-67-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1144-64-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1144-60-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1144-62-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1600-91-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1600-386-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1600-96-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1600-85-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1744-251-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1744-69-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2380-410-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2380-104-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2380-108-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2380-99-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2636-159-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2636-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2636-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2636-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2712-163-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2712-419-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2972-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2972-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3212-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3212-417-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3236-73-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3236-299-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3236-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3236-80-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3264-128-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3272-107-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3272-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3424-114-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3880-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3880-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4144-142-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4160-151-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4332-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4616-422-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4616-165-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4692-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4692-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4692-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4692-150-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4816-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4816-383-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5064-418-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5064-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download