9eaade0c6d829a6e2703d68eb843b14189909b78e17a5e2c560e599489f4605d

Analysis

max time kernel
109s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Size

1.8MB
MD5

411f91542c9e4be6ac58e39cb6ee6c56
SHA1

896a0a8da0a0356dc575a61a28c9e76d270a1d82
SHA256

9eaade0c6d829a6e2703d68eb843b14189909b78e17a5e2c560e599489f4605d
SHA512

b5c75b879f8f3bc409c84f44cdfada33e00644d9bf1f03bd2148157fa8fa3ce1e9c9b30ebc8a87039e82471b31486523c31868eae78b8b6def405a1f02b957ef
SSDEEP

49152:/E19+ApwXk1QE1RzsEQPaxHNy0vo05s0eusONlP:Q93wXmoK6eD5s0JXP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3348	alg.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
4744	fxssvc.exe
3252	elevation_service.exe
3884	elevation_service.exe
4848	maintenanceservice.exe
3300	msdtc.exe
4280	OSE.EXE
2212	PerceptionSimulationService.exe
3752	perfhost.exe
1876	locator.exe
3028	SensorDataService.exe
2216	snmptrap.exe
3876	spectrum.exe
1088	ssh-agent.exe
3116	TieringEngineService.exe
3224	AgentService.exe
3908	vds.exe
624	vssvc.exe
4100	wbengine.exe
1688	WmiApSrv.exe
648	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae335718c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d425b0061daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc38c3061daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec4452071daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b4271071daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f0111081daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeAuditPrivilege	4744	fxssvc.exe
Token: SeRestorePrivilege	3116	TieringEngineService.exe
Token: SeManageVolumePrivilege	3116	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3224	AgentService.exe
Token: SeBackupPrivilege	624	vssvc.exe
Token: SeRestorePrivilege	624	vssvc.exe
Token: SeAuditPrivilege	624	vssvc.exe
Token: SeBackupPrivilege	4100	wbengine.exe
Token: SeRestorePrivilege	4100	wbengine.exe
Token: SeSecurityPrivilege	4100	wbengine.exe
Token: 33	648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	648	SearchIndexer.exe
Token: SeDebugPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2312	2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Token: SeDebugPrivilege	2540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 648 wrote to memory of 4424	648	SearchIndexer.exe	SearchProtocolHost.exe
PID 648 wrote to memory of 4424	648	SearchIndexer.exe	SearchProtocolHost.exe
PID 648 wrote to memory of 2848	648	SearchIndexer.exe	SearchFilterHost.exe
PID 648 wrote to memory of 2848	648	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3300

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4700

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4424

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4bfa5a1539c70653531708a757fb0715

SHA1
b187ab4a0c17f81832a52f25e5013d2c60414488

SHA256
ce01824b67e1c5a340d45d56429d2c651bd643c306561a1d3a679a87d83011be

SHA512
9cc7564e2a2df53e7b127643ef9b5f1763c993ea0226e7d92ae3271af64b6fb686e70efefc38a29471dc586ceb59dc7e5ff561e296a09b6da06a6fa638e196d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
3d5f335547fc90bd0fbc15891e5a99c1

SHA1
bc3a905fbb76929b91f1ed9819ab1dbedd8ff8a4

SHA256
071e3119790cc88fd549c0ebcbe719ff1b0302b8d3107c29aed4f8a22942ebea

SHA512
dca4a011dad9a5dcf5d0d07b4653e073e1d998ad9997cd54562352939c6813ba7ffeef29b5688e2c786ee2e11a09a693ce62f751b372df2722186353ffc744e1

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
0675b0f105cf34e4b2540f8ec11fb64d

SHA1
ebe94e827caa1027b3f88c7d52f4d0ccbe4c465c

SHA256
7ddf0eb10de066f45ca70f0fa90725fa79f33dc5ff03dd8dbf482c24e4c3cda7

SHA512
1a79fd14a0725b6008abcd869341a5b4be416a6547e8507d76ba48b388a05568de831c5a594bfb1ed0f49aebec0603dda12725f39df6ca950f91fda2071602ec

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
dda4cf4ee8e95c331614d30796a234ec

SHA1
20b48df04cc2ba818d56beb8bbd246c3257e609c

SHA256
2c994fedb3c7741e517cc3f233d74d6d9362d59f81a20a58e33af2031de630bc

SHA512
d25b38d40c534e2c6604e2bd36019e192a3130fd6c7a99f36c76641d5a4e341b876b9eb2954a1112d0c0a9857206bcfec563239c87632029a574ad20e959b69c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
db10447425e3941bc37b529bd6226433

SHA1
15ef1156077e1fcfa21e0a97df25ab2d0581cfc9

SHA256
0f84c1ad38589f8f1e4758890163d0ee3e3b95b501039f8cf363b80323ba31db

SHA512
338259d0644eace14d088eb1d2cdd0ba2e546bb558dc547f0f4ffd9593ab528dc0450c61f1dd1a9554f919a3f2f58db1acc95340260f08a5436c85240a74631a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
a7f708dd44afc4437eeccbf21f3ba788

SHA1
ef8eaf495cee24434f1624089716ac21c7c5a99d

SHA256
8a2b1d166c7f81c58ec3f5295f00b75abd5e89bfd0e37bbbea77732f794c8449

SHA512
dd2cda45e0bb4f2bf1460f1ecdd53ab019d7bf8e54e034c171307b65b241111d0319982eff08cf4c274d6cd16c744c0b1f2bc026c1d34339d20f097687b4ad96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
a1302ea50d17d5a7f18ea70ac81a7c46

SHA1
716069cd30ddbb887600d691c089283e1b10a425

SHA256
88d8da305041dfd9cef02f1133f1ab979ec7a4c024a29419784a9d2877072768

SHA512
e14bfea7e57d88195c3cc9d36f96cd851576505d15a0b0be1017faa10f0529f769cdc61b944f03e722ef4a49355d884c88466bfab0d2da1dc94075e70c4d6792

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
fd13974abbad9ff69c3064dd96a3062c

SHA1
2ab0c140e5f9434b425bceef8261ba329040726b

SHA256
ca76442fa1c1f44ff5c77970c5e2747daba9ed5605c1531b6ec517d51a436451

SHA512
3fbe5cbe29e704e7620b27c9b6425132df6526373e2f0885fbce1ddaffaa09a399a9dcc5c642d4e5c98ed3073cab117ac82ce573c4c45efb0a226293dcdfcf9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
bb2ca00a51148dc13a0fed03c476607a

SHA1
cb70b15067cf2c7583dfa92d0e574c3993deddec

SHA256
b5f96307d94ae6acb38000e1d30edfbd73af8d02c35503aa78d1b0be877b3cf5

SHA512
1802d98a13aa98e803b60610a1276aa7f52355a04b29e77a6c3a9cfdbeca02166cdd325191017b8dfe60ea1ebf4fcfb12c848240085bb4252b729966182c141d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
10ea54b8fe416ac9ff5408d2d2a05484

SHA1
c559a5bbac102dffd31763e5f011dc9d58da5ae2

SHA256
b7060a53c47a23095bb49ecb88f120794c529002283550c2826c68b667b7428c

SHA512
e051f33df1c3a56273b589a63dd306657cd7bcb34262b2a193040ad4994e2e83751cd0052d4e40a9ab5c3a1cc5daaf2b24e0a2df0cff039e67395c5913947849

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a125d66a10bbf953001fc7e12660b795

SHA1
9e8b06c60c7a8476a9d6b89dee7db1ddd13a304f

SHA256
a9e24c3ab1026619d72724ea1e54d34831a99dfae64d9189298d36c0cdca8346

SHA512
37e0c9b9db2c3e552bb289df6bf5416d1241f63a24c8fe06d09b2560261adb21f805b9b470486f55c12d81da278272b5fb1971f6ddca02b0172497375f374769

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1be96ff7371b5b351dbb340ab8a9362c

SHA1
3f4621b5d4340664c64b0e9a7ebdeeeee36687db

SHA256
21e9aad44e58647f8afe206da03312bec678b91f1b07bb30ddf7012e2259f53f

SHA512
f1a4cf1da67d117d566b56d4bb6d4e0b087221383036eab51b23e495b058d919d363636e1009cb1a1a5e7330cf3ebb1bc9dea5d78f1e8c4d66dee4da331e8ea2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
bf6279714477450748df9115d2141a81

SHA1
2469c45edab735552a72460c8271d018a8b50068

SHA256
07e257d047790cb5de554cce6c547f3876576ca3d38d80d5fdb5d464e0e97ba0

SHA512
30b30519802cbbfdcaed51852c23dd6e384c117fee1efaad498d28f681359c13933fbf62da6822b5aa52a281925fc7acca74410443961a989cea60471180d990

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
e55f0117139efe040f5c41c3b38b0ab4

SHA1
b250116bdb8f97fe16b39c1966f8e5a06f85062f

SHA256
06e3cabaa704561fb2812a47acc74fdee46858916f158c6f9afeca7f2873ac9f

SHA512
19ff48548a99ca1792e423d5e3011b1a74e8727f8648f7120caeff5ce861e1899c97c03a9202d58b970b2eb0699a349aaa63fc392f492b78a943a9260537227b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
dd839ee500a25ccedd45cd4c55c8d878

SHA1
88d30d89c8b1690334e8c0165c36ac90a4895023

SHA256
39085c03936bef1db051fc3e94a292a460e2c6a647adf3104287f828054aa374

SHA512
701a948939e5945636016779eb011386b9d3b385353151656eb774bd08b6c21a73fead161e738717d6e2630eb92bb1f3bf3288b853de17ce5160960de6c59738

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
764167e26d223d7e3388d28fdc3e8c7b

SHA1
cd9f5f6e569c4849ea47d1b75ca2972bffc6ba41

SHA256
6fe1018499b90ccce5ea9ad151ab5ae311ed167b3310f4e417e90bbfe3493d59

SHA512
2b8c2cda707ae903df5b15db3c34e6d303fa9deb85537c517ebbdb71e363db24932017c9c1e5bbab91112012b417955ee8296d245021d162be07bc117ef6c42c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ef3e314df6b5178caab73f206f8f6254

SHA1
9354f236a22ccddc0dcb7d90fb381957fcd80d8d

SHA256
02556106b8d2837841c0068a499d832ff7985ab0761d7315c15a46cf9a951d65

SHA512
1645fe57ba2686c28069a54a0ba903169f001fd199a7f33d7f6220bb42026bd6e546b98a42d741c9c7c4aee8fc2274318aa0a473d4b1d04a35fd8c5e021b7e5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
18b44771c9c12a38f050658b51ae2ee4

SHA1
f0b43f9e90a3ec554a2e9c1ba73d270e34fa471a

SHA256
137228ec835c06591ec31a930b27d6ec402a464ce4c65f7fc82eb9292cb8528d

SHA512
95a1256d803b28aaed4981a9a8132e8417ea80689a61d4dc824c24cdc4c533f1faa42dab01015197ad95d0419eff34478b6498689739ea198bac6a4f7cddd5e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ed1b9af38b0a4c506c32b786a33edac1

SHA1
0b5bb1078dc95c7d9185d096dbb711ef607692ac

SHA256
394fcd7cfd954439c8b566cc18923571473b1d56edc5c058122bd175c4896c40

SHA512
ea0a24791ef1f79b35335f93c42c2532fb844a87b97bd4c3e44de8e372bc7a94960a25a518c229d8b46bafa11c4f9998f5abb36a01018409f39a4dab2d11191e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
c486453c97b0f10ccd66154968261033

SHA1
0b907bbaf177b7c1b3efe734399c734192c50544

SHA256
5247fe52e036e2a9952c45911d5654ad35a6a7ae2b1fb4d85c68f902f5f061af

SHA512
85d3c7b09a289fa3d2b1e8959c2d1a82bfa46a3f440442df512e9f17f2ff70a8f6cc2d454232ffbeb4ceb7b3b33283227911ef6e5769d0407c5474db3b3d0a36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
6f65fb709a167ff57490473fd9d32a64

SHA1
c12018cb1925b99358e7aec74cf65d165b78dea5

SHA256
1f370d9f8d9a963bdb43c7c3091eb4a741f44389ddde6cbaff902b5c90d0e65d

SHA512
65bb368e25b816373a2064f7030654d3e35e2aee7046c59b210f3cb30f478b4bea2eae8a7cd3765cd064a3c866bcf34295c3d4d23ec142482783e595be0fa346

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
5e21334db8ae0a310313a5f5b89c9949

SHA1
bc63db08c4771fc09e9c4b326390690c5546d1a2

SHA256
db8a06bda2a8b5f37cab0b653884a75d06aad39ec32d30e1714c0b721aef9610

SHA512
53f1a34d73ee2cb268896862a7ad2faa929a862c75856093ae83d05c4b7284bb1554567e2a57d1f14d696f35bda009030f011b8675d8ba7993bc9d12f87e81f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
9ef5f3ec6b4151ec98b0334aefe2d740

SHA1
8fdfe5636387e0e9f869cd109b7c4d12c5722032

SHA256
8d6dada0ce6acef7b8b77109e691c6eecd9e670151a5d680e7a8dd8b18d7184d

SHA512
4ced391073ea883a073c8cedd4c7fc59f2617a2e97b4a4425760301a14cb0beb45156f18c18056e5f8b23b4c37dd39cb14929ec7bde4e1560f9178c08120336d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
372b280835d0299f3b173c2ddcd2c54f

SHA1
d4408d19ef3aabde92a0912ef407fa8b05ffa376

SHA256
ba39f5b347210c0f672fbab8c320c1adaf7046cdf390aa2197d828d94f0da318

SHA512
f21baa5cd6b236c7893d80dde19c53b737b4ee097494cdbeb350d644270ea088e815028538da7b3db7d498caa2f7dbba09388199094aa19eefcab7c9c0689645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
8d95565c26443d5228512e8e5cf5a675

SHA1
58a738a333229ca848acfb299c72c2ad3cbb642a

SHA256
0f2f6d3188e8889e264ed0fe157934a6a8c6bd30be26ea8c9ecc33e1be674543

SHA512
add1f97efe1dc5d24ecb1fce4a557644210be5d06f030d9c030233d9073c992f0265c3e262be35ba402fc683169350e08a8abb1ab380c231ae298947f803a488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
bd4ef75f8b793b49f5681c346360b29c

SHA1
0fd300f2c039041cfd80926309d1981d35af70ae

SHA256
03ca3f5aa979689185f6a99d17a717b2abb5af5924b7a07ec14fb8195e62bdcb

SHA512
b355a8f94e819b23d6b07618cb3a4b6d630b67b6fa878266cd5deef74a7d4c53ca2e50933a801bd224af286bbf595c1cfc39c52f59bf9280f43c5518adb6dc1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
337bc9ed965a5c3fdc46b5f1f203978c

SHA1
f3b970056586338af1ad7cd5968ea920c90ba348

SHA256
d6fbdae750ebdfe2caa2af38dc9a275cfcfe5470c13d605f52c8e9813eb27f5f

SHA512
2fd629c616f4d5b2a4753596f47d8782b3f6adf47ed5b0911d200696792bf7216993560c8c1f3ec16e438c05f95738a81afcd3cf03c58110a7dfbd09b223ec7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
2bfc9a2cbcf4723b9c0ce83696c6fe7a

SHA1
121ccdb260dba8971bc6f01df4246b34ea505a8c

SHA256
02640b0539277709ac58b15ee55953486110b37172f7b942d41bda1b2a0a42ab

SHA512
bce4e2fe11d8da97b56d035e0d8d98970e943c746468e2ec2bf19c90fcf9b8e7ed76719c90b8f1aa22224c3a830401e89d18910a5fbd6161f026bf6e118f095e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
f1da451688b831eae4f17ca287fd3163

SHA1
a66ae94f0253fe5b6a63a9cf2cdac69d51e44053

SHA256
2398251004534066bb4a9bdd5f74139d2633e2319dc665f613c91ba94ebae995

SHA512
ee8d55bd70f3e0dfa7df7aced8ae45d5ab1e72d4d8a87016566af373a76900a67c91495627ae927c30745aff5c8318431a8a97eb27903aa6ba97e9092019c245

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
2a410711b0dd7fb137086034ba604744

SHA1
679577b4e77b13e4454de49d70c8113562dca651

SHA256
d103076b060b55510fe42c1dc258143f5c8a61d37a1ee61f84d9186eee289812

SHA512
f7572a3a3f530aa032a50925a739bd3b14979a953b9208e2dd8e85256468748d5459f2b6a2330f18601893d82436de5955574b926c10a7fc1a2dbc105b73ba6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
e041ac7ff63578051f1facbb0039e64d

SHA1
7a3259e7669b2b38530bbb7e2a88abcd90ab6dfe

SHA256
43aeabf01e8bf3c785142a8df8fe5c3c9fbf83288752a3b74a6fcec40cb60a95

SHA512
546821eb29db4874ef0c3a593c710fefa50e99ac93c633e3c1ae187bd540bb1d46fd93972339cbc1de09a472c5ec8b6e95d275741a01dd9b4f6b85809596786d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
b00cefc49343ceb5140e706bcef93550

SHA1
d1d17ccfcc057e94e8354426b35674a0a14c9c90

SHA256
008a0571fbbfaf23043d76f20c26e96c85f091dedb6d2bd88d77fe4e12c1189c

SHA512
e5d4dcf57fd006a43775014ae68dfd3ee01555c83fdd6ef9d83706f0e86b70e0730c408b83e5f3e0392d1802e6381d52584893e54206381c690e4ae0cd5d4052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
874f13e1d53bbe07b636765f3525beb1

SHA1
213a0fe259cf3e7e521d99c34e4c51f9e0b335f7

SHA256
ec20fa3ac46626362513a5fd26daaf1d6a3b501498bea76073a22c1392ac808a

SHA512
c35f0477a59e5084cacad198f843a2af611d7b1262363e1fa8c94738d0d5e6b424a857d4e3ff749fefe3bb941a64fdaae3bdb5573823c7803e49e8b63929b1a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
80c0d23934e872d3f9828b4cace124ae

SHA1
27dd48a25a051aba724d00564f2327c944c5a9ce

SHA256
f34c4582718eba0651bb0f8d33295d5acdd50c00c3bf771d695dcbc62824ea2e

SHA512
3817e3263903a28b1dda56166009b5d4543e1ca936c6f1147060dd1a573a487c2823086af9749facb319a80482f825bf5bdadd89a4606a6a932ce6c066f7f5c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
d3cb1f6e2816a587be17be3dbefb924d

SHA1
86f315dd86bc4dc6cff8f208f1236ea9d0e61d29

SHA256
9436105fd471321df3872986d0e56a09a2ccacb7f8cf7cf0c0f03baa9f059454

SHA512
5c0a62e12bd87d20bc9d4f7b8b2592f9aeae97e0d95e008073f49fe1dc6edee54673443681ce0c7896b3b7fe0d1c16b1e04bcf6ff2423c3ee54a064a066ecd32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
e1981d937a181b854ff3b067f6f0eabf

SHA1
48c51d2520f93f48d61a3d50886b41ccb1b62c5c

SHA256
954297b2f48a28f48ac82b4815cb97a3220ce034ae010b9b1736f28f00aef168

SHA512
17b63f05414ba0e7db798d51a65f08f0c6f6430ae4c65586df7a967f36f44473c8645d5ec26f15738932a05166cc59cbff29bb559890986c7f77b565b27ab5c0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
09ba9193d5a804ddfa783f0f9303a04c

SHA1
477b4a5835de195dac32a392c8c803c4c40e77bd

SHA256
f1e9dd73a7ae85f6c3348f2321c53954e0a5e3d03bdfd2f3da4f40f192cb9571

SHA512
4c239dfa5566813c4be3236ddf85135c451c890d60bce6e19630ee7cb24a39237a3b34ae38f46728877530cf454d95ee8862dcd7d19b7f6710d923f9b9cb0c38

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
2463799cdc039dd01861f488370d95e5

SHA1
d06b1d8787cafbf2d4e9f83a1c5c4ebe1165985d

SHA256
61b1183bc75b3ba10038b4aecd1550820eebe452812b694a9fb8745bad323a3b

SHA512
c062bee7bec85583657d988e4848efeb64c7bf20912d54fb0b93881aab2587c58e55f06687216fd68ef17cbe71477a71741e641b70c7ecd49f297b30bd58a8b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
a781b194610a1e3b3a337efedcac82f9

SHA1
1e00b3ffb0552ed603f5febe5416f9299873fdc9

SHA256
5b050cbce49759080e4e7f5c9b5391aa9b6c14cf4c02803e9448c2cfd6517b0d

SHA512
61120ed7a8ce61772c062b6d216b69a531ea4b296f65a0e7b5199d498355bedcdcb87feeace755da464460491579352b37a2ae10019ecf98a9301be74b2f0dbb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
0e5962755bddee81648b33ae042bad84

SHA1
b8204d615d32ea4339c06b14175540584ed5b7a6

SHA256
a6093b8537ff10d1e15d0efa2df35b1bdf8a79b264bd5bb44f1faff759301dd2

SHA512
f3644c39179907fd6b68f5ce336ced0a47516f8182642d67ba617b4db943cebc40c9f3f71bf1245bba72d0200a6cc7caaa4b7ee844efe8030ca2c0a7bd7c14d2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
1b3c3ed5ac7dec6282d1f5cb84af1f92

SHA1
3872f9f446b14e9d974e20ef23e63362ed09803c

SHA256
27710d603552f8044494d07da518ce2e8c79e1ad2256f306d5b9fec755a296a4

SHA512
6dfaef5ec4e0b5311d21c8bf532bd42a56a55b34e6a1829b77d85d2655144bf75f91b660c7fca19a6398a080ac5b3b783108896d13430af1b2907e52af64a9d4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
82c1dcd46f94a83144871b8b59ae5ce5

SHA1
3397011ef9bac7070b6c276ab6e9f6d0d396eaa5

SHA256
98bbca87276c58255ca8e3b87eb30089f9cec77f87f119a2db1169f5834a69ff

SHA512
cfd95572080c3ac4e92b08d9f7c8709e0ae99db252ece8bd36c0767b4c2e67818750d742c1ffdbc6f32dbf9fcc71d361fdebf07d65b08713e5e70adddae3c098

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
cda984ef3539833346e69e4dd4d0cdd5

SHA1
fd82b70f5874d50f41b65c6ec0126e9943056a41

SHA256
4d6f1b17238faf8856c06d24287903e5c134c41d7d3beecd0a80e406c84a66c2

SHA512
89df425229784eba293516f8eb2d1d655371ba4fd82af812be84ec57a428ee42094d3f97c13fdee6f58252d53e2f65f3d05d89918bcc9b1189680f4bf7fbcf93

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
776954576af919674f572bd0ce7b67b4

SHA1
180aceed4547427915851910ece0f172ae705726

SHA256
5c40b1c7d437983f8ce841c05e5f67b0cf72b3c8153638adeef2727fd414726c

SHA512
a185a9eb4515be7126f010bc1342b50ad7aa26a52570f911f33d8d49b86c047ab5c768ebedf4cdd94ecd29d3a679a10a29d5cd3c754881783ea5c4ee967d3020

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
f432119452260fb528fd58e028f9fe28

SHA1
1e7245dba891f86aebe1f3531596e3f4d749c2b6

SHA256
c4351b085b4b6a4cf20981ace71a823c8851f2bf3d968f0cb37d53799eb912c3

SHA512
76e53d2cd5e21f0d9b04ac4a47bd23117145f992e234a5460041e597b611acbaf27ac5dcae971a59d91e21cb90101a6aac30faa1608ad4cd04225ab421c11826

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c2e0a1cf0650073677f1aecd9ea6517d

SHA1
f4081bad6e4fee287a4eb6d064552f9c90a23536

SHA256
d3f426872307ef7d11b6ee257a2e29b61516443a2d1cad568265d8260af93d42

SHA512
546162877a119d513fc03879cb1b0223615d928efad0fd37607d5590fa24f12d7add7f00c26ea52f439b9f9f01598f02e434ff0bcc35ca9bca1a95c02b172a4a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f03e2c2cafb10595d77bc70523d9f6ed

SHA1
dd1a2973ae6b777905aff7bd2c553f3ebdc26ade

SHA256
8052b9509dc18399b2199d87e445693c47446ea1c435b1b25c42bf72da073a71

SHA512
d2e33f290b18b4d1f36ae77971e8161d745ce7847f383cc8ccd1616194f7a448f87b4274d6db4dc4c0f266c34683080c41d3500a0d43834991862e505a41165f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
49c1326d74bab8f17bcc040b8a8981e5

SHA1
095dffe28b36e5128e61b01d564704186a57b5c5

SHA256
62313b0528f706b7d3745acb29b9959151483bf7d612b99428b239648cb62c1f

SHA512
57a9583c866e47f46481dc008013512338f76e586ac9501e77553c512c230c0cab0333e3ef2d00003e5a3d9334434a2f4024b5507dc5416ac16170147b2f8432

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
ac0ee7cb56bcdf8f3c94a89ce5d745b9

SHA1
2ba5d557f05a7cf91da0da05c7216d4fb1bd7328

SHA256
7c352ac9bef73f14e4c43e47e9ce4f2c91836f357f72d85365fa428cb1423520

SHA512
14c8e39c0c3248a3d1adadf5a5be5acc88d7e57c5bebfae3bf3d8cbdd381df670b818e0cd65f099775ac3d7a30cf6fc26a5aef52c884bca4d2b0b7095d450b30

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c585afeb4604b78b6ddf848d9f116bfa

SHA1
c83bd7e9e6be7b5a3c3cdb5a38e316218ea8c55f

SHA256
6aa7429ec9de0a0e3743b08c87435153f51d76be8523d44e515138cda07af33c

SHA512
c04c21a84d22b44a4db84c0dc5510c5f9f59d47171d4a2854fd9f2995b41ed7d27a84bf1a5202691d55ea16e6e3447a4442af591511f62f404e5bb859521f203

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
5393d7f9a9f237e213126a4c23b8abf5

SHA1
d49aa082428ce88998a65f1a31292b62d9645e53

SHA256
2e93275c2f7acdcefebbb83bd861c766ed9253e833c787dfe4345db19b58e530

SHA512
5baa8d556dbcfada5708626b952b805376ce770caafef3da8e7d664214787c356a30bc322819ba2e3e6f3b589c0f02ed1c9eb3e77a36a7ed322fb2227156586a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
078bc6e6414148d585983334a9357427

SHA1
0627069aa1633a0bd6c1e3d79627e1736699e852

SHA256
7118a7159a7a250ac3cca6562a4f4a5163dea28e8905e6557605178c40438c13

SHA512
aedfc54315ea98658319009cd0e536351f13517b4de471ff6d191ac253f9c68080ab5f59d9f42e949dad95daed2080b7512ef5e469a6b8ab31fa4c248a74dc6e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
80eaeadc45e2a5f6dcbf9f4ccb38f1b2

SHA1
cb55936b05a9f958bb9d366f7b835bf904b50b3d

SHA256
1410354291ec23914c79ed6a96d9f87ae860913b300fde4544e1f6618fe901da

SHA512
382d8519b6128a3430c546b3531ab262fb76a09b824657de19f6cc350f36f25d3f0ba9e01de5399d4179575516ef8231968274d142da940d7f8f7f9a9fa78036

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9e00c01568afbe8e518d87c4f3f21847

SHA1
69db4438a408635cfa1ea5d28c537e6c7bb7118a

SHA256
e0b7a5edb0b9321a5b61daa8fdae1959da98ad32296086581c7c1f407ec6df4e

SHA512
42a8171aac2805ec721fb3db55c978566abaf9d39c910e167eae3b2fd2fb0cc1302aa14801a047b7592b17da9db9703ba1e6ef7f3f5ada84f348ca563ae841e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
fef9e728d7b6815e4b505c06cce7dca6

SHA1
5211d4029d2ff4595fcdb9443ee4912482c16eb1

SHA256
5b7600922e5ac17a400d5111b15467389a52355c571badac13e478881072ebd8

SHA512
ebb3850b191b21e197d3717334b8ce9d835f27c1ea28b4e60bde5c2b28546e02359ded9dedc65f26b232fdc23349229d492b2fe6ae282e2073207130c9b4cb0a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f3ef580873c5003f122db8791c4f77a7

SHA1
f080039f71e83672f0b93d5929856725c2d1ae7e

SHA256
66b62ce24078bb61da46b401f07703d272f465574530fdb6f58fae207b499837

SHA512
20d42a5e89354e4d6c6d394bbd9cd4578cf2c6f432464a072e1c79354d14b1def0fd8c6723de575a9735ce491a095f6b97f5b0227dcac14de4c6c13e5d6d03b2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c86b55be81b6f70aaa8e47aad363220b

SHA1
01b1045f2e4a62cad0cd3dc7775b767ad58f9b87

SHA256
78cdd9f6e42be3b09d156037e9e7001b7acbb152404732ce5553703d0236fced

SHA512
9b9cd0363694923c24a5184842ce72ed2b0911e5073a1a9d1103df33e0d2943df9125079009f5c70c596380cbbdc3cc139480840b029e979be56375893e9b22b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
55225fc12624f9165a108bc6bc6aad2e

SHA1
7e0187e4f2e74da165a863d0d03406bc2654a9f6

SHA256
b81cc1c5890858b009e800defc256b0102788e4c9865910b24341ef8002ccbb4

SHA512
387b117bd011d482a0d3d71fd0bcdd2bad91117d69b29118149686af7163a27a4966c8b75c7fda02ec694d933ee4c4583cd08aae3456645dbbbfd5155d1ef2a3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
aade284fb1d5ded2db210bb3239206e1

SHA1
e4558183ee59402555dbd00f37eb92c8cae79aa4

SHA256
e321c8569dbbbd91968f3359cef59f20e9062d4f9bfa2b68cf7099e62e4de588

SHA512
b098cf3a0834f5c6c5c4ae316aa31386a669f8cf5a4e05291202d1e42ff0fd30ff86c01653bb250187f3c7bcff82a3993366e0ed6ab84bdb57733a9c16411fce

Download Submit
memory/624-440-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/648-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/648-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1088-143-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1088-402-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1688-444-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1688-170-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1876-167-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1876-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2212-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2212-98-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2212-89-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2212-95-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2216-333-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2216-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2312-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2312-88-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2312-1-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/2312-8-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/2540-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2540-114-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2540-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2540-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3028-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3116-437-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3116-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3224-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3224-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3252-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3252-38-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3252-134-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3300-73-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3348-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3348-110-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3752-162-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3752-100-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3752-106-0x0000000000930000-0x0000000000996000-memory.dmp

Filesize
408KB

Download
memory/3752-101-0x0000000000930000-0x0000000000996000-memory.dmp

Filesize
408KB

Download
memory/3876-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3876-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3884-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3884-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3884-146-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3908-439-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3908-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4100-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4100-443-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4280-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4280-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4280-80-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4280-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4744-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4848-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4848-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4848-56-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4848-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4848-66-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download