24bceb02eb8433fb61bb7833e98c8dd9da1fb3884c33b0dfb505a99607e34685

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Size

1.8MB
MD5

dc2086fa3c393b4e5f7189bf90bd6d55
SHA1

6ad347cf0ee17811c5c549b176e694dc0fb75fdd
SHA256

24bceb02eb8433fb61bb7833e98c8dd9da1fb3884c33b0dfb505a99607e34685
SHA512

fbf0bb2a37454ce4ea9f5353d0e692791db670922424abfbc6dd5155d417182c83fa20b27945c26f55ad2b18924827ce22c00052360bf2158076296f1e3c584e
SSDEEP

49152:JE19+ApwXk1QE1RzsEQPaxHNt65RjUV2Vo:693wXmoKl65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2460	alg.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
452	fxssvc.exe
1288	elevation_service.exe
5428	elevation_service.exe
4932	maintenanceservice.exe
1492	msdtc.exe
3612	OSE.EXE
3156	PerceptionSimulationService.exe
3716	perfhost.exe
4912	locator.exe
5420	SensorDataService.exe
5740	snmptrap.exe
3632	spectrum.exe
2980	ssh-agent.exe
660	TieringEngineService.exe
2436	AgentService.exe
784	vds.exe
2920	vssvc.exe
3648	wbengine.exe
6068	WmiApSrv.exe
5220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ded9aa94bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000985933100faeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008880750e0faeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000491d920e0faeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0e3770e0faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000282560e0faeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e353280f0faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d2a210f0faeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3d1450e0faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c53d0f0faeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d643b0f0faeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe
4500	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeAuditPrivilege	452	fxssvc.exe
Token: SeRestorePrivilege	660	TieringEngineService.exe
Token: SeManageVolumePrivilege	660	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2436	AgentService.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	3648	wbengine.exe
Token: SeRestorePrivilege	3648	wbengine.exe
Token: SeSecurityPrivilege	3648	wbengine.exe
Token: 33	5220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5220	SearchIndexer.exe
Token: SeDebugPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeDebugPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeDebugPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeDebugPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeDebugPrivilege	4672	2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Token: SeDebugPrivilege	4500	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5220 wrote to memory of 2064	5220	SearchIndexer.exe	SearchProtocolHost.exe
PID 5220 wrote to memory of 2064	5220	SearchIndexer.exe	SearchProtocolHost.exe
PID 5220 wrote to memory of 1512	5220	SearchIndexer.exe	SearchFilterHost.exe
PID 5220 wrote to memory of 1512	5220	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5220

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2064

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a7ea533147597c81e44327984d5bb116

SHA1
599a1026d9050cf9233c1261e174340f8cbff4a4

SHA256
a08ac0e091db5b4b878c3300b6dd16cabb87a78e2ca304730b8bcc8213c6a7ee

SHA512
db725b98492dbda176a3f2deaf0a1ceade799fe0b1767d9ca93d41d69064d18dd2c79ccd44edad04419a51c54438c901f089c9c01c204ed77973d36709b46dc6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
2481dd5bc07a97f3daf86097ef3da3d0

SHA1
12bb4c7e74325a8ccd00c3088f3c7aded4c7858b

SHA256
42f7d70263adcebfd0f4db49896f7cfe34504952997276e8471e2c8df1d51fbf

SHA512
97e235c6b865a6fe95b9bb0033558835fe158a745ff1f923746f63a5fcf9e4ae4208d8bccaf23312645f2720c16b8a0e806abe99130232cdc19750870d296484

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b0f485adfe6f09439dc52de2a04cd5de

SHA1
b736c9686767153ab4fb88b382b3288913820685

SHA256
cde965e55e05c807a0f2b54c224245f2599fc27fbaf67a836d0280f1bb9ccb3a

SHA512
fd78b72b77963c8c4e54c2aa994a12dffa1db6ddb134e2a367f091dfbf63dbf99a132a388fb90e0faae4acfbaabfbc862d436b08556c217b1908db9315e61cd8

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
548a7a696e7058202beeb3af754161ba

SHA1
a1e594a02a2ef0faec6c9242ee15ed56be4126da

SHA256
f7515e1455b959c90dad751dec3dc3371b23fb58d739b3969a2d7f273cd3310e

SHA512
e04f229d1256f971abb8c1893d2a24557824323314be25b3e053c7785e0d2b52ad7d2fa61f0c5701d51d9a02f2c61923e034746306aa36c09d1b9235e96bb361

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
bf7e1c881f3a9606dc42b8d4227d151d

SHA1
cfa341c5f02913f7c751d673aca8f8c4a66fa039

SHA256
2da984b5092232d9ee06152115c2af271b5e5937c63c8647da46a1ce267a92c2

SHA512
c84ca335e08ceb895a976190c272c38938a32740550286c00b9a6afcca22ec1aab6c90a8d15cd36f5ec8698b3d537127a4ed15e53af1153d63b95f9e166a6a9a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
cbdcfc6b63dabc93906035b87288c28e

SHA1
0150e8312b2114baaf1b3a84978af87694763210

SHA256
3a29d571993ea70a7a7a46f104c29bca81032cced5b3436c87e7b8c8b957d511

SHA512
23951306d6f26e72a0d8da8b80b008530b67c97cfdf55525046e75d8edcda6771f3feea39ef0132cf2082124fceaccdb59d2061d330fe49e4d2fad2292d01f7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
e40c1db5a196915b5027ec2806bc8473

SHA1
f4ad8c707bc1cf699cc1ce8e941a23aacbb6f725

SHA256
e1d8269ddee18b6831c065920665086eb36e255ec5ab95423bcafb1a6bae8957

SHA512
89435436124806302fd22592ee3e15d978b7d0b84f19f03e6aeea90890499f0323b6c7af533efb06f360cd41a440fe0cfeae6e760585f7f3132d4c03455290d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1cc60e239aca760930278372fb1b3acc

SHA1
ad36a411de8ff7c6fae90711d7e54044ebebf2f5

SHA256
c665e1de90d7292fdc5e7494283bc1e8cf9d7aae94203263dca4d2d802f25bbb

SHA512
404aa56cd682e44292953c1aee5bd9ade42a46a051102161862081e0c01c5c3676f57b67724988de96a72e623b998331d4122d784fc6f918e17b89d5ca79c869

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
7ffcc09063f5fa1a8e6a3fb1151d98d1

SHA1
5843bead544b6df9bc64010464cc832f57f1ada6

SHA256
586b6c7a77b56a1a2aa70198654867c51e7693c847e69d59a6775317ec2345b2

SHA512
d52eedfac35520520f1012e8ea0c1dbbd208aab94068b1794d13160537935d788376f3fa9813a52355c01a93e624a04875a5725a267b9baed40618cefcfc5f66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6ced735fcf248472f796174a40e2ac0e

SHA1
1fa42511b01094c3bf4de81b2471771d29ecd275

SHA256
eaa37fe643f22cd0a5f28a85eba0836c24232fccf5a784928e6e60631b8e9f53

SHA512
9b966afcac12cd2e770b2b5c0b4713e2513dae330c4dc31889a008906c20dfb61c479b5eac5e34461fb1039b40f74259d77381949178f81f2bb1af384f1e7fef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ae9b8ea47d13b9317a5038c080a9d317

SHA1
b669048ca5b31fa2c6282e511c907beda0c20e3f

SHA256
fcf2373363ea15ed2e99a36bd89ec5280addaa469baff225668ae8cfc38ed3c5

SHA512
b8c71eba9fa528cc336397993ba58ebcb3024dd7e81300fcf96d95341fdfeae27e889c5cd5acd6882b32929bfbdfc8b4186f69c9fb95415a32399e4db03092b1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
e61ca54ad950b392bc19b30c5b3333ec

SHA1
c1d7ae352ab3c4f251e0e64f22e99ba22f6d53de

SHA256
b390db12d1b36b75b45a220e5aa8458e28841f79814fc3c2446b92f6ac15e334

SHA512
8ea1725afd51d8cd2cc576ef8e6487c3f27d9f1d423a7b30c091edcf0eae2ddb8ad452cfd4b07646279a87d1fc7088c472232b81bdb33a5a4633a5b2a580129e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
442b75a19d0a16b99d6d8258af056d1b

SHA1
b63c078430af3075cc4b2ab38ebe0f751bb42eaf

SHA256
528272ac715c573038b4dccc536cca2eb16c8c90b9fcca0203551898675e803d

SHA512
79016d681e0e0e22a2b99fef58f9ccff6276cec981c084640ab6805f3d42d4145abf7b866f764bf7b4f20ad7a2ca6452da1d2015f244d5f7f414fab9f7196f90

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7e2b231424a063a8515461b5eabc1bde

SHA1
a70ec6c8fd5e000ff0a378c79aeb4073faf1ead3

SHA256
c60a430c40459d81546d8d3be6d8a38e838dd0f6f5bd930a873d13d1bc8f22b6

SHA512
1b04b3a76f5b9819a627a93a708347d2a02f7c345616f3d22a2319ac43da1c83633b1bae6a26e9d74fd38dbd03243ebbb73cf46b21d40b4109107836bbe969eb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9dfa3fdf1acd3d09c1ad6016735abb75

SHA1
e22b71106a17b0719cd1aed85ab251ab79ad8683

SHA256
43981e8ffdbf49c6a64e57721c3e282311494b275391a127ad1970e3b4223549

SHA512
3e68c72e2ed72ada8b824df6c1b20a58a5a0f6595d5023c56eb9ae78babf3756847b027ac5ef5041ebe105a77b8b2721d0266c9a44e06a59e5f70ca57c8722b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
09fb08106d421767eae7c78e18eead1c

SHA1
c6ec8686fd770dfbdad56cb46058f48216602bde

SHA256
681df968b08362a43e3b5febb72667d80ea2a97a841b5cae21259de90f02cc73

SHA512
71fd71944be40c3c02bd6d31bfea191fea82052863476b4a6e17c1273ff3edfe0602cc400c2e90541fc438acd3653831c1c9d193e5fa8b179ba68df55b04afd1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
b560927130b9737977ca42953fd106dc

SHA1
f173bd17ea169f6311b625d710620e0b2aecc512

SHA256
5806000fe210a1cf6989cb4632e08a709c44feca05f833ae30bd7f0b3e82ff1a

SHA512
9ac391ffa170ef8c11359ddd4c109e600062e68f3f16848865d060b92d5a103e23b1fcca8f224b83ef4ff0d862d510f7971cd5d9a94b5cde0435b3e4100634e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ef55818aa0c37f492ece577e535a859e

SHA1
c70ef7ddba034ff01fd215f5b3cc4c2e8cd867b2

SHA256
72338e7804a4b535b2783ceb4ac9572e99007fed9a63fd480b75dbfb6c39bc82

SHA512
c45b4ca20395678a36ec8e2b576f502b78d0ef5385713d5d4cf1e3123481b6821dd6481f57acba9d264d2eb4caf8767da5cc2a37e0badadaedb187b26ffbec94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
58a990f1c9a5db1a3bb510edc74c5025

SHA1
eac68e43ac0a5c5c92b04271666eb1b3fad0ad4e

SHA256
7416f0596fbffaa1b3c06ba6101885c8448f7eefcabfe83ad0cb83adea5fc5b5

SHA512
2c6d6f63fde5517944fa718c5049cfb65971c16cb208682df1d265bf79b11256005f606b8cee76bcd609002f337fbf8ad654c2718f392d59350e2a1744ac8f14

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f7e0cfc2f16d4a6658701c800362a846

SHA1
844e9060612edb1c408dcb26390fc5bf860aff50

SHA256
a9dd3606e95cfe2584fbd8c080505ead92ba01001b9b9fc3ab0ec4b693ce55c6

SHA512
e8afb4728d4cc8b6158c1bef7f4ed15618f0301f370b3ea8518f8ea99aa768431bec567e588dea0074124f223ce1626e14a5b7be05590e4a3311adff85313b9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
6a429dd33536747482d36741d515b324

SHA1
a2e02b8121bca43f68fccbc15c29817683984bed

SHA256
e50adefc64260f1dc7dda815caf71c0aef50ba29fa2a81eddcd1ebc7df2b4cd3

SHA512
7aa9b77cf7fa1c5e48cca299a8f3c46a84787c0a3774153dd37b80e59fb39a650ad3fc895dab2468731d0a6c51a21d259c8c0983054d741def7a88cf595b9008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
f7ef9a5d3aba892a3daa0bb0281ff815

SHA1
90e5248e253d1851e4f5a08dc9928c836bcb5716

SHA256
15342f10efcbfca97b898cb301f0408fd2ccf5787e070e415fad38db08d44df3

SHA512
7705f6154b2ed4b90a19a4dc1e25e15fd26d5acde81e1ac70d5f0451c7896c532ea46e40cae99cb272973872e0a91b90d518a6e64a76a564fd8880852178594d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
b6b0a7961444c530d971b65c46dfcdc8

SHA1
acf4f5087255fb0939e32722a48df376536f9867

SHA256
44e1033c7fec1e38865e6af69adaa05ba62c053574b89167f4f60a719a458f3d

SHA512
e110c969be7df083cb41143abf6a672eec50980892b20cf04c62dc3b79eca7cdf781e9b5b8f615e8aa7c52adc5eefbf7e88c84069cc099469abe7054ad4354f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
1e48be168dfdbfda69d4517869232a6b

SHA1
bc3a8a7dcf6a750b194969248d3a1762aff08e96

SHA256
6a00ebfa5caecff97a68c28a3b2affc99a03e4b9e2b962ec2ed3984f49f73f7d

SHA512
e628372b102f8d7e6e0801036a58de7be4a7983566e3d8da555bcfb6363b6c7ca52ec38c63a683cfbb747f783f522a0778982e7729272aeee1ad5763f4446a15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a456d9199b499fb467a9c2574a657b11

SHA1
5aaecf476b66922d74673122a08fb85c96bc4495

SHA256
cf0d836a33d467755bb31c4c8f2e7316671de19ebb6b5881cfcac290aa1eb69e

SHA512
a9f0e9bf643679db15fc9ea01ee9c37abe285a30809a9f2c2beaddcb1791cf1897d167cd353f8e6d24a47e44a86cb66f5c7b2c44101af727de3378d317f15194

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
75eb041fc2c37ad6a30ac4e0ebcd55f9

SHA1
3da97d5587f7f5c4a408c381026030bd6e7bdea0

SHA256
7a6d382293fb4dcbb40338e213ec7009b9dbfeb6fca4bcbf53f4e759f9a4b1ca

SHA512
df4438656680dd682090c5222f8bad90f381d971cd24e9df2e6334f520e2b24779b7face96a853b0eee5f9db8c69f56d9886415cc7007d67d7621fe8c5d576f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
e6b4a1c79690d08ace64a9b8b9a65eb0

SHA1
7242c24259e6e7eb7cf453eba09f9188d558a4ea

SHA256
401d006c466633a1be667aaa8d7652e4e8744a35209f0349266616dddfc53a2c

SHA512
b7ef800bea17b9c27ecf8c9c0e825bd5b8c73ea2da06487a17d1e90c4eec3e5756bb2cf90facd3e06544a685503bdc2afda51738e528d00a849d6b4fc193e0a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9b84a8273c5d5a83cb38b39614d093fa

SHA1
91ce8c408c6c299bc628523a7c282e91c8ae6837

SHA256
62ed22dc3a38aa4527e088191c3edf484d71244d51f543c9c7117f7ce37c6526

SHA512
683f932dfc54449bce15524da58e8f9d9403e40b25d2491452ea64b4e4d8ff446d377a3a90b64d6ca253920d65de2ae00e0362f17ed562357c28ea91aae2c3e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
db9ce3f02bd000ae4d1326e5781c644a

SHA1
958c04beec006e5b49a258432d6ce64a3125201f

SHA256
ca8f63d8d008b8d5e8b27baba278dc64a3595312041af4fa5b48cda8776b37ae

SHA512
47ce06bc313296caf5ce3d24107f07958796f36f0b545a80c10ce90f980851e50c3087d40aa29b4a733a5c5d8fb3dd863d93cac006fcd73505d9fa8d759e2640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
eed12f049030779acb9642a33c9d5168

SHA1
8071b928f74c561c09e93eff2a82d7586ce32e38

SHA256
77cf4e7ca3c1b968e615cfe370804c7a256311c0384813e71908af0d00e40cd9

SHA512
b6ac3ae3afee6b69b06b2202accbabf5e8bef62747237808624d14021886e0c8cdf1949c07e5c4a5a78186683cdc563108dcb08f3b06359906bf500af0c8dccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
752247964b166c2fff1fd8cbf6402374

SHA1
5c6711aa1d37e1ac08391f94bd2c2aa3279879b1

SHA256
f261b6b3e45870a6ecef2bbec8f2fe8f7c01d228cd16bc07014026c2cba55a55

SHA512
2e560d239b36ef827b307928011a03a7139b3a7189e2545c6d1dbbcce3a2a4adc042303569e1be643c678a92bc9ec2ee31cc6b254ac0d3bbc44702fda7edeec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
f17a1fba936c613c449792c86feef7e3

SHA1
e82f0f909baec0d200de83b02a69a78845a7c070

SHA256
282466238511e899d626d9d356af82c1823fd7d1b8c7fdc4107e9ba1e616044f

SHA512
48d77d1c86ee999e1fb2d4a77e1fbffca27790cbe261f06489aeb6812366b0a761c442f724e364ef5757abe1760d4294908079cb0470e58e37d3926d067a7b80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
300cdcf60d8063546e2e953082027df6

SHA1
74a3841cdcd4be9255e8eaeeca6ab940dbe72c84

SHA256
8261fc92417ba5ddafe74ef0321ec84945e972de29fe16ce5c452fbcf7bc0092

SHA512
69d424f498e611bbb8c5124640249684976dbcf89144858e2293c84b117b21e5b7b6120e4921c5df93f89e6729e2b4e5e1803655eeb15485e9930969a40c77f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
63732732182c843cb32560ee2ff41986

SHA1
9d6871cedc13a521ff060756cb3835604a72e00f

SHA256
a3a750578af7d499499cd7e3d8b267eacb4a65e3bb6a319f3e0c0732b2ea3250

SHA512
c252274b7e02dc3689684f75581db384dc0808242ca4f1bbf942b62807f8ece8cdf265a1ead04c3e24d1c1f51f3bd2b1872c04d08b6cf286dfac44b827db74c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
63ae8db2121a3ca6d07ee898a7b10627

SHA1
04edbad60bfe1fc50659fb06150703a22877c749

SHA256
3230f02bc9ff6a6e3fe55c0e92ad3b33fccf52fc1dab0f6774faeefac8e774f9

SHA512
38259bad50457475427bee5f21069f2c76e0e37ed560b135527d4c6a411400d88ba53490c15f2a8d20676e75a0ef181afd1f91d0f896dbf92b995a0e3fe6f9e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
164a60b108adc8b3ce2c20b01a1e3228

SHA1
e8cd4d7a4db79d0a98c68ff57e304630b6d64c63

SHA256
0ba6896bf46489fe72bcfd8515de678a95299f29e29d9ae907506bc43d9b2780

SHA512
64d55b020492203c58cb2aa28299ba0dfc98d025ee8cd80f4b1b9e8e8ddd8e2289b23c66e9b324e88dba107eddf89faca5f60b65d3fa3c6544b6c4d0eeff9ae9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d9c2eabdc81f056e5bf357850bf4b6fc

SHA1
4d05676de5d91f9c21e1d2f503fddc6be70bfd48

SHA256
b3e26bd6e86d3439d6f8adfd93a99b7dc151feb0c33ecf56319093d4f5806a8c

SHA512
e204b5cadf9f63ffc02b5a995c3d5c8c5c992c913c424b2be5059d29cfcd3237961c06b6bfc4bd8863a68616584435495065d27a37515bc2237f92b88e1d01c1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
ceb4a954231afd775ee0d22f24f54bd9

SHA1
52ea2d83bdde81fc7c69eb347114014c51df6850

SHA256
d9edfdec181c16f65ca9be79105bca5a1bc0a5e7a025891e611e7fe59590d80f

SHA512
0288ab30818e532841a870304a9da56aee638a68e6af5a69565b410c8fab1a454c954dd49c583c477e2973330af7359c12d0ba5ee8124248b3dcc0d8e3a30b54

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d130d7467ed55afc49ef04860b6d7c29

SHA1
68fd42861aa4a9d57bc57705f3bf4d8f9bf1adfe

SHA256
f45d6f972e1f83eba37a74a34ad5364590532262648b42455d4747f8ac32d2e7

SHA512
5aa4af56c2aae1fde6c59c2964bc2c044d1bb9cde55c1b0148178eebba74b2d1b85a542f83a442eccb854af074491b112895b27ebcb38ef70f63580581f94c19

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9c5c704c56e5d2bc7558847801d66c0e

SHA1
a5e8d20874541884ffdc992c453edbabc96c742a

SHA256
69ea76e1bda33ec11b731da9a4e94918fff734ef28f5cb1998491d31e5f94470

SHA512
e32a4397616c0b6542d5b852d1a833855918ba52300a1a911505b4fce8dae272395d7a27574a80f5475ab046bbd7c3d41584eae2723f08f351c31e4e3c2205a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
653b25e3bebbda6d62e1e70ba0ca2f16

SHA1
b1bff8a8ae41b5c22f187a10009ab991ca99bb79

SHA256
6aa81c29f71d8577ea5fa632336132dea4a66145218ee7da5d0def8c91a20ff9

SHA512
ca41aaa125b9ed3a61288bb81b82845acf6ed7d4ce55b2f2bf18ec9f27163d99ebb5ac636b364af9a69a1702fb2b4652bd0298dc54dcb5f38862ae641dbf99bd

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d2ff90738262370b8b1486245515e3b7

SHA1
01ef53accefb5f02799cd974f87fe505a5117f40

SHA256
8d72e5f437d898219adac830d4ced4f8a6933424b634ad96d9e18d2c9bd43926

SHA512
b86b2e4b8df5e58ac726b0a9a5fdf49a9ffbdd6f2378a963d0327c592622e2ecc808035844e5ceb0b31606df6fe380ba8c6f1d5a3209096f7e52065e3b42c1e2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
05610d83e6d11d1057de6d3846419a3c

SHA1
247b5e993bf4fb26a0314e8e442788bff85a3928

SHA256
ba6ee5bc20b8908b6c36f16b5203d0481f3121efbafbbd164532ac897da850f3

SHA512
9053f2b0e8829418689c629d78d66c550097b0b57ad843783f158ea24d805ae23c2d6e0f243d492a214996ddfe427d79c3c8abc7152eab997d29758fb7504c09

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2d0ab0c46c22214ee51f06b49a458638

SHA1
f7963e9262b2b7241f2c6b3d0bb1505e99024476

SHA256
d4bc050ba6e98e07ba5b94b14ae79dd0f8b890a19471c799bcbb5cda00d671e3

SHA512
5c253b9fff84d5f14f6270981280ae7bb41ac76253fe18601613f8f8b1b6f7c32e1d92f958555bb543df8c10d9d8004c41053bbf9c20ddf087d6469e009f61cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
92b4915863d45dde4c6272c3b6e876bd

SHA1
55d937195d6cd4d8a9fe41712f951defbcee3bcd

SHA256
f23150d629a9aaa8a08e146350716695d6223b8d1dc2d91388d0ff25198200c9

SHA512
0f5acb2bc5598102bac8a854210b7f189f2915f121b0ddf2a0d9a24b61e665199877e96ba8d9db149e992e6293bef5bd350bb74ed78c1c25ae11cda9a3566fd5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
068d7619c5061105ebb2fd28f1fac71c

SHA1
f2723d9f5efa97547d757ef31dc08f77c46a1a8f

SHA256
17c27f40f076c759f2cf8c01100e49b1b5ad40ad9efe39c90f8b27ffa15277d6

SHA512
b94753ec717fcab5059684e7175deffb4df5c030c36061b6cd717889e1209ef1fe7a68fa86ec33d1898b9a8f4028fe03353d8c742b00bcfb724cde0247e1f19f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c67ea5b3faababcbb6cb36c627867648

SHA1
d6b5e0bcb5d8a707103d56cab2abbd38f2e9fe2f

SHA256
18a917b34854b511eb426f49bc1dfc565ae29dd9ddc21ffe1123ff31957175a0

SHA512
75ca823311ff0c1e71b195cee750f2676ef3cfe7b68f9cc75f4d85d6782c29a4f22b629b9e8fb0ec24556c30816ca0c9211635a73154290c16e8f1fd442f32f3

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
02d4652a2d52cca8cfb16f23b856d2e4

SHA1
a00c26b03c1f2c77655b99a2e8b896d87ed240d3

SHA256
a69e4f6e822fa8720a3d1d190119dd8c6692649ad463df9ec1efe193e1947d5e

SHA512
bdb5094e3dd45653a7992a550d681f394d13210dcee2738a7e35d92edb267181417c59a41d807813caba3ad84d13907bcfaf5b43d0c9f14dbf76686712be2399

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
18b801375638c6561902a8f82a9b9f28

SHA1
1933c8aa54a2839822f66c3e2765ef904036a93b

SHA256
7c8ae63153f8d80fb2bb6ba4d29e19af57f9d0375e7ad27d7fc158d048e12229

SHA512
17fd68b75880b8e6abb95412dbc6d9e239ae5fc4bee7c1a841bc689904434ea59a12e3d50358eb0ccd82e8e9934735b7862a02022fe71a602f2c4bea3ed06adf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9ec5b8a0214dc985051e6fddcc9e13b9

SHA1
ad22a04590ae0f60746a21056591563f2c36b7b6

SHA256
bed0ab4da3ba154ef443695a9197860d1a8332b17ca1589f664393dea6f9dfdd

SHA512
10c6f5706caa231a533073c99f378e353458a0474fd9fc42fb29a06f7fa2490b64797a078a39cb0c1378fbf37e30c3079f1f41c4641a9b4e05105152fe1435fd

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2f62231a81b29e1fdcece04338e8f295

SHA1
68f3c0583e76659c401fab5ffd94e497b4b0b728

SHA256
3d447ddab010ddc3df4add1cb7e6baa7199979ff345ab5375ca0ddb21ae58b25

SHA512
fdb74be835136119c2a3b73eaf3029116564d036909db71d01480f21dcdccfef167bd64583db2bcce3ebd5b452f970b535ce5411507bdaf5f7b877192284b5c4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
de0351da786ce12abecd62563da18fd6

SHA1
1e9e0c724581ebcba76d99f253d14457a6d09952

SHA256
9a2673c1b25c0a5601824ba46d3aaf470774499400f859718fc285ec304b22d3

SHA512
96877d2fbf8c0f203253a2887db3921f0cefb322add87be66961c9c852ff488169d6ab61022f7fa73a0c994d7fbc794c535af7cc871fed9bf0bbd33c6f147ac0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
3c9199b669c5af4d78994be9d099bc3f

SHA1
ea8d5f7e9523accee19db63c5ff90f71e179a9b4

SHA256
de52c25db46fb2bdeeac9bbbcef0908401a3db7a59a201d6673fb49a168d22ba

SHA512
c3da916acca1d0e8ce024153163d304666733f6eccd2c01947416ce527af7762fcbfbc1504ca4f4ffa4ef758493c82cc580c3e09df110c963921fa4be3f7f19c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6610a710d9740d0addc82acda65ce5b4

SHA1
022330d9f6c9678075eec2ee5d7b2ec5bc37958e

SHA256
b516971996df0bce7826fb58b8eff745a639c8b29342117d75e721903e3011ad

SHA512
1f6a7837021a02cb035355d1c52835d60aed05debfc45cfd388b5c3ad3d28d318a0e68400271f961fa1dbbbdc50f0d4c7792bc2d8f3adeda33afe49fddf6be52

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
3609a4bcbc5fb5ea96665dcb21a3842a

SHA1
fccb5d5021184373d0e8884e2a3482cae790919b

SHA256
a68258656a7f1365e71ab80d76f2945ded76442b62d9b47d1e041a0eda27330d

SHA512
1ca16e719850ad4a5ce3c10b92cda92d349feab2876cc9eb18d34594e2a341ab340463ed2918e7105399dceb1d3eb84abe644c502f61d670cd8b344988321687

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c925e3928883db8c9fb5fadabb0be3e9

SHA1
4589eee09b93dc4cd6b897ff4e273912cbbd3704

SHA256
9fd3db6a5fb4956197989fbb43637ce6d5b5ea200bb57ea9ce774499771c90dc

SHA512
6947b6c647c29fed8d33fd9fbcae4cb40e06401cdb72bfe2815ce3cec0d2d25bb90251cc990989f2e73a2751008562c872041cfe05b95aa3a87f78560f51b35b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
8299b982845d676ad6363fad110e647e

SHA1
52edfdb874038dbe9f4d7713e1fec0996d887b1e

SHA256
47ced93d7b9855f65692e5b244696b8a8454cc13b94c37b28ec4f39261a886dc

SHA512
d66d76ba31bbe3c7407a63344aa98fd715781077ab918930db9e603f6f34f1b8ede0db34576b4f71e8be5b6fec9703ed85abbf2720dbc959ad6a2aae137eafbe

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
bfa546c05af813b86c7e67b3a8eb8af7

SHA1
b96664cbf7ca57e9b6c5713e4e44da6346e5c87d

SHA256
fa6a3cd64b6f95401c5a8df0cfd07cc2cc0d2c0bba39b44206789b284d31bc2f

SHA512
1dd837811cde9d41c0cfd63c9380bf9367846e5be4d77439b70aedc322c268d8afcea04762afddf72ba546202dd6b69c6263e9ce016a105337912baf8bfe9c54

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
3550f17173dd5963c2d2eb9a59b720dc

SHA1
873efa9d9108a121547cb0262e63bc75a0baadca

SHA256
302b16e40c18645dc648c84c864a51f6e95132a79de18c08ee7b605b571b4c9b

SHA512
469da2fd401dac914c6da888cb1d33ff652bd2b12997ee3e14d231c995167f546cf7b1e19693616edff564ffbf88a69961fcea0f14163aa436f492daefb1ca0c

Download Submit
memory/452-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/452-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/660-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/660-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/784-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/784-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1288-143-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1288-31-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1288-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1288-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1492-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2436-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2436-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2460-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2460-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2920-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2920-487-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2980-481-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2980-140-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3156-90-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3156-84-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3156-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3612-72-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3612-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3612-78-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3612-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3632-384-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3632-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3648-488-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3648-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3716-100-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3716-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-98-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-104-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/4500-15-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4500-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4500-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4672-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/4672-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4672-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/4672-108-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4912-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4932-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4932-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4932-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5220-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5220-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5420-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5420-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5420-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5428-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5428-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5428-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5428-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5740-358-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5740-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/6068-489-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/6068-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download