daaf5e260981fa3601e1b8d589bc16dbab8c275425278bb21f0066f5bfd8dbef

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Size

712KB
MD5

5c71fc2d62bb8304b233290249988e43
SHA1

cb06029e00fdbf78f787c8649f20a79957bcc22e
SHA256

daaf5e260981fa3601e1b8d589bc16dbab8c275425278bb21f0066f5bfd8dbef
SHA512

b20f44c68801b1bd28368187b359e36e84b4857199dc9df040d9ab96b350363878070f8cadaf89f46028cba99bb75a163331896dfeadb9d8c728c55d091c9ef8
SSDEEP

12288:PtOw6Ba+Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbEK:l6BPsqjnhMgeiCl7G0nehbGZpbDM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4316	alg.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
4364	fxssvc.exe
792	elevation_service.exe
4044	elevation_service.exe
3728	maintenanceservice.exe
3424	msdtc.exe
212	OSE.EXE
1836	PerceptionSimulationService.exe
4620	perfhost.exe
3684	locator.exe
3320	SensorDataService.exe
3472	snmptrap.exe
956	spectrum.exe
4788	ssh-agent.exe
3512	TieringEngineService.exe
2888	AgentService.exe
4364	vds.exe
780	vssvc.exe
460	wbengine.exe
3208	WmiApSrv.exe
4728	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\722dc253d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7038117f3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acb57217f3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037fb9416f3adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe
3564	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeAuditPrivilege	4364	fxssvc.exe
Token: SeRestorePrivilege	3512	TieringEngineService.exe
Token: SeManageVolumePrivilege	3512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2888	AgentService.exe
Token: SeBackupPrivilege	780	vssvc.exe
Token: SeRestorePrivilege	780	vssvc.exe
Token: SeAuditPrivilege	780	vssvc.exe
Token: SeBackupPrivilege	460	wbengine.exe
Token: SeRestorePrivilege	460	wbengine.exe
Token: SeSecurityPrivilege	460	wbengine.exe
Token: 33	4728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4728	SearchIndexer.exe
Token: SeDebugPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeDebugPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeDebugPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeDebugPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeDebugPrivilege	724	2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
Token: SeDebugPrivilege	3564	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4728 wrote to memory of 2140	4728	SearchIndexer.exe	SearchProtocolHost.exe
PID 4728 wrote to memory of 2140	4728	SearchIndexer.exe	SearchProtocolHost.exe
PID 4728 wrote to memory of 916	4728	SearchIndexer.exe	SearchFilterHost.exe
PID 4728 wrote to memory of 916	4728	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_5c71fc2d62bb8304b233290249988e43_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4044

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3424

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4500

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
af6199ff17ae413a53c36205ba1f2a6b

SHA1
a1728c305b425762bf6eba045dea3f4a1ac32cc5

SHA256
340a14e3c3007c8873852a5a5c59cff87e97303f05616c7caabbac932dfa6877

SHA512
b027d98084c5bee7096dc53ed1051fe63a3d56b15dd6207445b789ae92e67e2966baa3ab26570cdf519e13d0f3151e22ccb643d031bb1ea1874383eb07b99c2f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
f63bdae0fa709ae511a9c7a56b969992

SHA1
54a48dd84f5f7d4a92e0a587947fa521ce8d8169

SHA256
342f22287cd3ae5e2a77816dc0ef1b87d0786034c88aa291c4419cb9adb80aeb

SHA512
ca62b77ec14f5265a30194900bb948b711f0364bcfad7ff0eed95d9c94c45570b1a1f1c3fb391d62cd4af2c43afa6bc0edccdffab7a13bfd0185edfd8a9abea8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
81f5e26529f7a6d3201d90e2fcbe94a8

SHA1
0d5ac72e4be8fa3f3a4800b89337493d30a08efc

SHA256
2dfaaa2c36d6a3cac3ff079e52a29b1c571bb1484c4413cd57fe0dbb86dd1524

SHA512
14a0e5cb944d9c1edf9a44c1b49cfaa66b173f99d8bd3a2ff333be1cf7843b259ac0d68ab6e1ed9e83f30b18bb012699a0deffa6f7e9eeaa078332a8b88b0cdb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b108bf7e7d392a1d27c70cdd5c97d2a4

SHA1
59b5595383bbe0cd03d4377655a55db24ea34147

SHA256
2220d4c3f55337efddf0df34b11f7afa40dfeb0fc11b4d8724117f9691b7146b

SHA512
605f176837607e3834737c105f444ed2b3a23aee61a0958f543ce972a7f567aae0eecf9544f6536325cc864a21d74c0d72f1a1be88c6053d82a7053f2d07ec09

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
93e817c736d7922745ee2408a628cc8f

SHA1
768c4f017e864369dd059bc2448aaccab8aabf6a

SHA256
b36d9989ce099844a9a92e57005b231877c6cb2e90e893d588cd64cf30c99fa5

SHA512
c9065b8a2972148376ed340e50e70836828f9b8e67187f29b2dffdd67a8c620469425d7fe4f1e5f2594f407ce85f298fe54c29ec8a4ba210e4ab88c1d6b326a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
351808900634ec1825a16c062bd7dbe0

SHA1
c6b4045e48544a70859936b759abf25621458e40

SHA256
f378bdfa1b13b69a817bada6859607bec655661b5d0223d1a1d5c9151d36017b

SHA512
9eb0f9438620fef4441ee835ecdf070598493a1c64c633f97576c716af9ef005a8512d1a7606fe0b03c5ce59cce994ada914899e2a39043b8ab8693781920b80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
38835d22b7ee5af8181289195a0e727a

SHA1
4b714ce935dfd58bf2f3fb1de1eb88623c0bdbe9

SHA256
115f42ece094c7f7808c07e3057b7fb82088403d8d3cad5cf40d782066ed21c2

SHA512
141ed326c7cc24a6a171bd4aa06ccd09a4a6cc91d8778c8359ce756b9c5ad1664c54c3dfe2c03b2f4f2a1a7037e5f804e75b32a2cefb21fbf818019abeba78ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
81520e42a088342e53168720a9070028

SHA1
3edf2288a4af91b511c5fa628f20753d2b7cdd81

SHA256
538c69725f59494b6a0b0735f881b9f526b327dc930002458a6ebd09803bcfdf

SHA512
25353e5e27bb3c0173a5ddba0a364cdb687d8520e272fe3c916f37667c1054a9102953d77e13f1022af6351e6d8c55dc803b20bae1ee3cdd788af98fb8193d5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9815630ebdb5b58b971900fb2ae343cd

SHA1
5a38aac7ea9b96c06e451cf6762df13bad485a13

SHA256
bc5f57f60bc0d3bba8e4cb7853107bebf84ca76e5af23f08b861c3112d90cdd5

SHA512
f0186c15c1210fbe7d38ef75deccdb5b0c1c0afc4e1fd3a5e71ace148b68397855196632920272745583e3eaafabccceb893cadc33a26d6f88538eca14f3c088

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
874563d128050d31ff0311c60fc2443a

SHA1
9dbeaa7b68b5f23448e357fcce31a5d62c665796

SHA256
5c9afb991a206b8105d95b721cfe66143800e521e7cef052c18e959e2804895e

SHA512
c64c6f6d3405fc53bda0a03e34883de6d9e87e39d148c0d28ec7ddb86babaca95e6fe2eb1dbd832b41f2c9536586c820f92eb909e092978ee1228b27fa05b51d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
1cd2431ac55d14e87c3c7e928fb1c0d8

SHA1
7711733d72b791ce8de2f1fd51ce7f2b8c32b878

SHA256
901fed8dbdc5c04f4c5c7967adc7555094f431475342ce4f5d663972d2a03f5a

SHA512
5aa5fd1fb3177c4c79e4b08b478529b582288cdddb778931a8d6f8ca262682963eaf671fc8ebd31bee7832405ab44e179d8655fdf921015bd34953af8e07ed2b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c1f06cb8d3b655169d58c568900ce842

SHA1
5a50b64340ea50a519b6b3b4f85b5db1d53bba62

SHA256
dcf91fba88dbb109a538bfeb50c092ffd879e627098abdf03a1bb38b480fceec

SHA512
d4da244e1c9b9f4af3b9bf26794a6da7fb0f6ef8df96534ee7ed2ce35be004133cc80115e8204fe7e5cd259605a9537485b81f2b41a4d7876fab839e2c44486e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3e0b54973c1edf814c13e040ae2a55bf

SHA1
70216788f3bb7c060c47654b165667d3cbaf96f2

SHA256
7968640a7af801d7678e302faf8c786f945a7cbc69e8d7645cb899c050975d54

SHA512
42f1ae206a3a102a5dc8ef60ec7b1853e1fada8e1d531fa48a3ba4dfb4c9b342c9e7ce19021e4e6dcdfed1b24eab5684147a6cc877af5701117d081014096c7e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
6dcf6af3cbba525e633e5b1645e79802

SHA1
7a628226745e4a17788d764491c2e752b09827d7

SHA256
a9fcb889fbe45b215bb0faaa871d6a4e6860dcf079f8310c9561134ecaec896c

SHA512
8677935747a948e2c4410a186b90eac175fd59a33ab0eed828d5620c80059649dbf73dbf181430f51ad9a212b54449f97f2e0b5ca776b3d82c175c4f3ec033ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
23f3de2d95345589a25ade073f5fb9c1

SHA1
f18bec38ced46f6fc618b9195c18c21291f4e497

SHA256
61e5a8f2ef85fa616095e03a1c1963fefcffa7d15fb8906f9f0410b10909a14b

SHA512
5c5b721e3fe5b26232e75763ee07e0be273456f8c269d2ccc00697aa90e764c9aaed1cd5d348315ade65d84388e554945722e80c7ffc23c4c684ce5426c878ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a637b5ce76e1dc0fa7405c977dd38ab6

SHA1
0370d27658d1890e96b9ac5a95d0eb2e14b0df96

SHA256
fbd865aa5983ca809fc8183bcc236523a0f1bb5e45e9e9cf736148a5c137a5b9

SHA512
f171dca3978d0eeed4ce0a6db8db4aa75d44fb32c343f28bc580e71104f08493d1ed0c3931b6cc5d86b902a391278b85f832acd853d0ba4beca4cca3888fd3c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
37a349fb15e87014e2623be20223d6ba

SHA1
3cee6333d6e19868a191641ea06ade0f9ca75b07

SHA256
398447f00e9f7af30cd1836b2d1508a3188a512451a25a95a77bd9df42ad0864

SHA512
31556d00cb01aa80d360f718961e88b86a603e013ae7371199d6b305550008385d607974d973ee4dd1f9b4efe876b9ea1ec53e72073387f12ba3ca54db425e9e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
8c11c501ae02ae4f4490390e888860d7

SHA1
5b4d0139eb23a15e78df226173f550337579ec98

SHA256
56ca20b14b519afd0745ba2b6b37a9577c0bc09c804e3c128cde69b4fc78711f

SHA512
192a9f8be4e60f472889c28a2c8bc21286883393e22b88f59f2f5a4e4ef5b533f7a7ea2150897f0fa0d437dd9866d75a4d30fb4deda4608efc3d69afaf653128

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b875da3ed403cceba6fc2a6754d63cb8

SHA1
0c2ea89dc2f6db68787ac08e9cd58260f84a303a

SHA256
8a1f5552b523630d9b9ef23e8250ff90674b86f5fec443858a3c2409ac30a565

SHA512
8c008fb4a7f8447b1e8fc07311c99c33bb27b1bfba651c92f0b5af5f32f72bfa47854edd61d94578cda08ceada470daf6e5faf26af5f1ab4925ec85e8b073677

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
dbdb9a3e1ba447522109992da2871cae

SHA1
142a831b1a6244ae4fd4473dd6e12b1bf3328a0f

SHA256
866f4c3847af64e146eaeaa3d8a7919d104aa79842af5ab5faeed3f84e77da00

SHA512
69780596edd37adb571d171ab813af0a68b5b2adb7deb6f52f3661480209ee58b9a072ef8ae37a3c893d261c5697379a67c6c7a99aec2ee22a11572a21f6aab6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
77dec5c89805f4ba99767db1e84934a8

SHA1
45d2f14bab2bbdc6ebff1d520320eff8d0f48d6f

SHA256
000f98669b7a845d2b190a8cfafeb3b9cf59247d0c96ee5a9f18a5a4a7e9b81c

SHA512
205b9338d88f360bfa948788892dc026672f17b22d229e23e162a8419b7bcfc64660d64c1299d9b88bf2adb77d31599e12175f5606ea863017caaec5ceaafade

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
cdc8a538ed78c17b119f8ed2ea069122

SHA1
7e76e536ff563d91be0ff04a3d99aaba48cdf4c8

SHA256
d956071fdc1a1e0bd1a4c317051666d1cd0fe7f7c58d0431706ef4b4185e4f9f

SHA512
da2c3f448de83de0d4499505fcbdc7bbf002dfbf5bb12de433626f17f7923c02633506d91126906ae4cd14933c5beccff08470b73341e48b561046fbf6752253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e413141fd7496e439bd5e0e6a22ae7b6

SHA1
7b3d1477da29cf6a9857c5f90e4c94261c6a7761

SHA256
71c33996a106a7431f2bc103771a97d613eca0f98a1cd674d59d55ac67a990be

SHA512
d31924f4e04d45613e25cff35b431be78c4f0187600911474611106f682757b77e30e02b387ffae17543127e037247bdda4679f225aa3a9bfcfbd4dc0e7c66af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
f019ba9356d690045119e213c12e347f

SHA1
f1a0692de27d0cc26e6c12898cb4bc77a1f762d8

SHA256
f199227db19a18461207c07940179d3e5302add57fa5f71074a7cf5c8d2661fa

SHA512
0cab2d9bdf84d8c9d9991d99f1e0666a59d267254a743ebbfc9c9a740a205aa905631ad9ed494ae7238e2c6c5c082143fcd046ea2ca63e4c105d5f151364cdda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8d29e22ec41eaec4b09c06e5afda07ec

SHA1
4782c93f5cb5375306c31382a94bd44908a94b25

SHA256
48584fbbd8a0f8b9f15256ed7efa8d619006db72e6caf4e1ca502777f7ad5d66

SHA512
4d4ed90be0cbeceade1a4eab18bac8f9e709fb5a898c7472866517a2961d06520e1adf88588090fdc773b08e892c885cecf920c3fb28bacbeadc8f955cf36e8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
dc6a0f60b85c3b39a0bfac99952bc1e4

SHA1
70ac9c4e5cc20fe504dcd105ba6cba76b0cb463e

SHA256
2b6a3573258ca2dcf62a111ddfe76cd975b60427902e9f7b22ddf1035b9f19ce

SHA512
2dbc9e2b00b276599c15ac199dc898c804090acaa4632f00dd9a7d1f00231fd8a290fbae80e3017fea0bb68dbb3a2366621390531c51159e9b4d9523179427a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
a3eec419f181ec7c9c4420de761dbde5

SHA1
69500e5876e75f678da49dc3a7bce35f7fed444e

SHA256
a0291a1bae354d1224bf9e046516d2f4e4a8744941ade8a74317ee4f41aaa683

SHA512
8d881762fd4bb040c0b72e083e0cbad490c553790d6498f832991320f58c385e00c184bbd1179b25ceee30e637e2f928795be78d3e9cd46e3fa4af8455745706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
f6b2c879b14b36f74c0fff8635293ee4

SHA1
934da408042d08d0dd44ccd3bec97e2393357874

SHA256
61a2f0e473c051e848ed21f9db613fb0f8f9ac51718c8612a137515ad2fa96eb

SHA512
525e6f97804a28684af601390b78c445e72ab7e25c0e8d7076b8858e84f742c725874eda434dc41662821dec4e0d8e0e9000b7b97d7dfe63fb668c70c3880a44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
547d4c4230c945c1083b7af0f509c991

SHA1
16ceac4e2e25eff9703ba86a1093fd5711cbc7f2

SHA256
97d48d50974a1b4b1478d11a81677169c4b7965d23914eb045e4b7698731a3ca

SHA512
209164badf1720fa7cdf9b8d7186bb342eda5589ae66cb4c1ccd57ac61d4e1057b15e7caf90ec170b58c4a95472c3a814d7059fa5e6fdd4b0f150e8bb4ebf42f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
5a87cff421802cac3b95053a7601f330

SHA1
136ce115ac5d0a937550dea2b9f807fd2c0fdbcb

SHA256
6397a4c061772ea9925687d360bf26c6ff866997424c0b9250340b68471aa3d3

SHA512
254389fa31b148681bfe0bf219e833856a17d870efac2f0256c18176378ad32b81db6149cbca7427518eb3e39d5f2a1ed316eff52ef32d9855906dd08812e87b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
cd570bade55197a87d763f87e069f187

SHA1
d4892f3b9f7b83209623f2236c5f51742c733746

SHA256
315f2555460d3c6544a0fe4a881618965ae3057bfe58a9b625e080268d7f75f6

SHA512
64394575aa0215cc4df129a137082a7b5fe0f9a93f374d59fa62a77d0ea00bef0e6466d9997094a70f5b0b316ed2b541d3f882758ea809104f5481b99137f9bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
a405dcb74ea112511c99d9bbef8305f1

SHA1
03057cd9d04da28c9b4e581299e51d4a2dc43637

SHA256
adba21ec401bd89b8895c5267e9c670f4761b38ed486d98253b16881ef9d696b

SHA512
02e581d2015191e57841bc7ff15b16e697cd28932c939c5389d7083a87b1e9afbaa404249fcc3f399421b1c04134b18e88fa02b6fa443a9b99d8dc53392d088e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b373171b340104f8c072c1a85786c775

SHA1
f9e669c08af24a789f654455e4fb86d41481253f

SHA256
4cdd011d364faffc3d2460899fa532d0cb27afd164e26bd669befa900b62c4bf

SHA512
80fa68e6f061e7ead72eacd67885169952b16e1906fd526d5886c751c60ee347f19ce5d4eb6a3b8364f3f404acf3e9978e2ecaa5fafcfcb80881a577244ec495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
f9dd7febed8cf8615e1c9435885442cc

SHA1
c5beb54b04d681e579de6396f925bf704c360efc

SHA256
5c861c63bfb7f1278d2528b487a432a8ca3b277ccbc9dd1e64b4f798c3b0f556

SHA512
40df5b467603110123a5505d2b61ccef037d4f0337ffa82beb241cd5f9060212470d1972967461a3b07942aa1c40f241d5e4e1d20a9777fb3ce53597d815162f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
a14705d67bc8ee3c354e85e197de0fff

SHA1
73b3fc3dfa4071e4be0269c872e4e0122135440e

SHA256
600655e9e04d8f4b6bcb998e92e801232a69db242ee5f90292edeca5c3256cde

SHA512
4714d2d38854c10a0d846d20f52903ad37c9cf3adacf12521540a89dda9be83ad59280cbe08f8e84b03887dde82b1bda992d226b33e0dc17d0c200890a21c360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
f4ce705780fad3bb25f720fcd584449d

SHA1
47a063e375f936d944063595163bfacabfa0457e

SHA256
ca3de8ea92f2cf4e0e6be6f31b6b8b076c863a3d30348f43b6775a0c31567187

SHA512
3df5f702de0b71fd4679e122619ba81c0595dcdb2a4b70d69dd7619ca002c1a2b2757019e530c8926545d5b0eeffc1cb3c6897a75954a87a8d0044a146d15696

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
19b2ae3461fc438a505a8f9fa821ca1f

SHA1
6f044e1f8e7d16b7e367d580b919e616e4ed091f

SHA256
efe43c2c190f13619903e3001648d6c96e9d74415ec6f4435dbdb6d57ece4969

SHA512
3a756925cd940117d500417340fb2738ca6a087c6acb5ee6180824f54c93814b69758ba6418db4f5d8ae3bb948a51f18c6c46be0d6006bc9cc1dc6101bd84108

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
7426045228449c2af55495edb4e350c4

SHA1
336df8fc965221e226062a1b1e4dd188906f6727

SHA256
87d53fa978fc21b84644e965ec1184fd81e4992960b4d0a7602a36f4f7fa0efa

SHA512
985e819bed5abdcfbe735c522e26ac51c69785623b8e89b0a0129e2daf8977aca62650642d2f021172d4a7986d8b5caa630f8f4b7858e52ef27593c53428d0df

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
89b2016448957e4b1b286c15e0ac371c

SHA1
aa4ad498f71745e262fe5beba42c7ac667b2b5ba

SHA256
4ea134a368728a21bb8f7083a9551e222c703af2e4e1a8f1745302911e537331

SHA512
937d137ec14127e2ee6675a3571cae3e676733f60dbb02c27e136eaa33e74ebec2aa5b70270afd49f3fc3378b29c82565ce6ad5fddb23d31b9d235cd7b19689a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
91077f55e5e3f86455ddcd899d6687e5

SHA1
84748258f39253057596af5a14d030c523304f90

SHA256
784ea61cdd3203fc418d4521a9107a5d10554d8a4e4436407e82189dbb0bff99

SHA512
706158d365620bc8d8a93b92bceb7259e1430496eadf9cebdda4f211e9e90cb18afeb231581ab010a9337755e720470f82dd3b90375dff1683bdbc43454d2860

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
16d78583b5b7e51647bd28962407fc67

SHA1
15baaff0bdbd1fe2f7dd2bed3f7b91e748ea32b2

SHA256
db3d9840e2af100d84cb22bf4cf6980fce46a3078fa0efc141af5bee0b7225de

SHA512
6f62e928bea406697876750e3e8065aa1a64ca6d2ce9564291cd46291f3998f18bd183b343ed24a0cfa9e36391eb08549ce62e1eaf013a8bd0455c94ace4728b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5cc3534df9fd1d311b06fee31328d635

SHA1
e5d42b766f01713cff24d89616ddf577c48378e9

SHA256
7f36a56650d226007006bea9be430e48eb2c415d416cee88f09a98620fbfec90

SHA512
1727c507f6b33c0654148d25956bbdc8a0e57a817ebf9852fc7de54f2d8dc489f78a7ba5f1e03666a407e76c395b53b7ac92321677f3e369835e85b8824074c9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
ee6687e67c9b5a23b81d4e91a3bb4edb

SHA1
6c5f26e46d0dd5a7668d40a4c1d0503f569c9c49

SHA256
614fb679ba0628c6b41b7cf3ea86a4efe444f83bf1bedde29d203b6d6cb2967c

SHA512
b126b3bc9cebb4477cc186206dc7f2b2010ecddd8b406e4b56c4a1edce65090d5450b34bef13787fd58ef90c4712411ee5b60bf6b9ee35b51110cb78213bd005

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f2b05a052022a2e25c6da5b92833235d

SHA1
092aa0304f914a302d90adfb8754b16b208e903a

SHA256
47a575b6fff08e1e57174229f2d4eaf6f12a166758125671f3cddcecda73d133

SHA512
d5803a1c7ac9801630610ad4794b765b94ef8e75068cb93e694f6ee5411a8625830f981a3c83ab4ced7b104015618ef1ad1f86d4669ecbbb9debea203ac05e51

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
f3b98852e03da26407be8038a676cda3

SHA1
192eb91621e8a6fac36aea13699960719815bd4d

SHA256
0ee364fc0fdec7ababa8bae9a411663a3cc804ac49b1f2da1712b38c9e23d99a

SHA512
5393828c78083f8940a2c03ad620ded75ed193a7e0cb8d00cf28b834e9f606dcfbc57fa0d20b7916883cc6017fb581688145b0aa40004041d785f6a3acca31ef

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8fb3d75e8747d5c9e87402e2857e65b2

SHA1
ce1c5b598eb120b5bb65b6672cbc7c981df1546d

SHA256
bc7c18a86b5e4f80d6fdd1ff45260f8932ded8db7816801966def6b6547f8514

SHA512
6dbcd996f1e766375917c25e5bcd873e677ffccb46f1f5bba846a13b4c9238a06251c476fdbf1bdd9c7ab5cc9e95967d43235142507e6732c0af9cb544528528

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4dd53606c4c4539edcdf3b9ab616c2fc

SHA1
2cd11da9a3f6921bb06cba797ef80c559ebcf4ad

SHA256
e1d2760a2a95b2ee1febe4e00c5b53401bc5fa4f1f435986c9a9ffdfd72538a5

SHA512
08c0f0b26ea32fd7aaf2dfee41503639eb84ca63fa09f25304e06e35c2b3630004e3c1493cac9090b007e92300ef1e4e90257d9a549b694e3d1f228f84ff1939

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
cedb7ed93dfe048d4f4e2faaef61a75c

SHA1
23f925138d24034a03d992d47e79617ae54ee716

SHA256
4675cd70159d9dfc4851b97b2b7301cec67f17ffd12a55ab29ee64915c9c7070

SHA512
8afea8bce585cb89a63e9dc5be2f2550e8b7590edd4238e66dd82a9a3901fd8b994911e9f0ccd5ed0fda42d5cd5e63cdd0ce03770aeed91da6a8b9c20014a0d9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
72237344066624cc655959a03516047c

SHA1
de6f9142ce3721aaa7b21bd1c634dbc0dae6a6d8

SHA256
081a94e695a7a0217dd262e5c188e6109054f1f7c321330e1bfaaa3311f39bf4

SHA512
cce643012441b627bce6f1d2307034d5d2a8908310963f6b54d8a862e79d2db628cbe51394cc3bf17923ef852ad6d39134dad5fdb5e30294b4eae99e5c3c171a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c6f5b15006528892c0bcaad9ec6365f3

SHA1
72bffc94f61a033a51b38e7208b6bec3c2d76141

SHA256
e383abcc8d619e8b7717600ab999f0ce7611f49c904caca9c2855fb007c47384

SHA512
ce47289ca8d62dc490b30704309b23890fc040302ed5c48b568fe5b9c36245faa64bfe59e42f9fa5c750008255760cec770a52098203fbb087f16d9fa71e99fe

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
09610cc0157b1279421c2cd31a8663b0

SHA1
4d639bf3441f5843b89783b3f0e9771c9da1c687

SHA256
48d331ecb6e1ed3366624f7e9a8e428eb74d3e1c2105940f2a936c253c953cb4

SHA512
4f4abd630042b4a53b57f965078b7e0d971dc149ff9977b57bcd2b10f0637a119c0ac55eecd8358eafd33bc4a9cd18ce87a7ecae92d3b7a16482e8880aa118f0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
64cdebfa6329781f282e0a578eb3de11

SHA1
90aa6b9c7ae295d915a85b2daf93caf1a40cd3ae

SHA256
acd737b065912418309abdfc9320c8cec28a42ffb1d5535329a4a7f3efa906d7

SHA512
78b99f102d33d398b15940b7c6b0008fac7e2a83109d30f2e6d7f9d47162759aff533f631082c085e172eb10cf68e4462aa6b4746e2078a3373452c98816f866

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
9b34e54c82e40a37323efc70f63e0bc2

SHA1
cdaa6c054ee06fc6ba79d67919c123398be8bc9d

SHA256
be55b95bddeac0ed7cd43a926b84f0f53201a735fefe30a8f562f9eedb72c25e

SHA512
8d366ae7dbbdba1a915e3ce14a3cb0d00a5d74b1ed9a4995157228551908d795be1b655719c48b1ac82b638527a70901e8f84eeb7d8366ff300e61bddfa814ac

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
22ce4d1afb719766a69e67c617e7ebb3

SHA1
d7719cec7cb750246af5e39992363e345f49581a

SHA256
83809ecc72c20ac6e37a66e29bd6a0185bd0398fea84bceca0b82b161fbc7632

SHA512
1326fcad9e8cc3d884cacaadc6f59365e6a6596cbc5eee85c6e8dfedd33ac2acfd5e58809df7b63846dd624ffa4a44f5cf895dcdb507d7f8cf38236a3df867b0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8134f3bfc8a8d0aa68999f18237dde9c

SHA1
e934ce5be519b7ec6c50494cd7d1550c702900d1

SHA256
d5947a9506ea0748a5629a0eceaf276eff75c165e153abcfed8573c86b6da24d

SHA512
097e1b1a28f339fbde606ebf32f2e81a71f55729e8ef35d4f9394ab22089449df33c3fd263abd65d27790390b91af504aa1b5632b1fa02e58826d99581a7570e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c1cfc97524d93a3b1fbd538bfb4c68c8

SHA1
fd48a396cef6e59e70899fc14c03ce77e325c86c

SHA256
5d97380e0c406873a6e496f91310872fd24e43ef427d586f878519a05f3c5319

SHA512
c91b19699f2b3efe512f99008d5b3c37c3951b18585334667a14857582596ce2d33a8aa664d05e509da72dcdff1b1b1b145810f77a09cb69445785d7ca8cdf73

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bfff3760261ce08b6bc589dab54f26dc

SHA1
5d66f768e68f013b4d6d8c7689e1df85564316e0

SHA256
cde692633bfb1acb85d727dd0db461e4a62a996072dbe3a670be5f6e522bca1a

SHA512
541cf79ee075682d4e720f2cbf8c45f068a9cb997538b943e07a709266492dde10425e2927690e70353c7c2e9a9ab8d21e6fc40c75be264f694eb909d66675ec

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
cb494e32dbfd90c6efbb6e05ddaa5671

SHA1
ee852c205ea0fe319e06eb0d847cc72210a241f7

SHA256
8a9b2aea249d9099c4e3b2f6ec47b0cb758c9437bb82e3f391fd42650728b30f

SHA512
7ca9a18b2f08516fcb5d097e9c3bc7c63a06e4099d4f796472ced24704feb2fc960bafe7b85d4bb6e4723aed41826089f6768678bf0dbc9301f6fb272d072188

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
fcec97fbd06e457e3c6fbcb453fdfae8

SHA1
546ca511d00e585b1388c973c051a73188a0e687

SHA256
2286691f0cdc9d15b2e4412e914495803efdcf87a2af7db08ae31b5d953b7c23

SHA512
45d36e2ba596beed388372fd01a1e30094b2530f873a5d7bbea0b9c5811eee44d051279180a2c2ce8803e06fa46a68892f9ed0c4d596d83b4446c63d4bfda9b5

Download Submit
memory/212-79-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/212-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/212-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/212-72-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/460-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/460-534-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/724-86-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/724-6-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/724-1-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/724-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/780-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/780-533-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/792-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/792-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/792-30-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/792-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/956-120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/956-364-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1836-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1836-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1836-93-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1836-87-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2888-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2888-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3208-538-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3208-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3320-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3320-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3320-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3424-147-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3424-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3472-116-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3472-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3512-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3512-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3564-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3564-21-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3564-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3684-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3728-55-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3728-64-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3728-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3728-60-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3728-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4044-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4044-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4044-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4044-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4316-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4316-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4364-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4364-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4364-532-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4364-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-98-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4620-104-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/4620-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4620-99-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/4728-539-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4728-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4788-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4788-133-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download