e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Size

1.8MB
MD5

132cb4ec98efb04f0d95c6b2b6e12db8
SHA1

552b78fb5bf9f36d80ba293628a6b3c0648817b7
SHA256

e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac
SHA512

4e69489859683a7b328cec595d3ab339816bf9e289228a558fecb93c668807e89ab49e826a405a32c096bfd775b4a268a35a9ac13a9ed0ecc553f297ebdec3a9
SSDEEP

49152:yE19+ApwXk1QE1RzsEQPaxHNgvu6olbnoQx1:X93wXmoKyu6otnoq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4740	alg.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
3004	fxssvc.exe
4204	elevation_service.exe
3604	elevation_service.exe
3180	maintenanceservice.exe
2044	msdtc.exe
4800	OSE.EXE
4980	PerceptionSimulationService.exe
1040	perfhost.exe
4244	locator.exe
3960	SensorDataService.exe
4208	snmptrap.exe
1772	spectrum.exe
552	ssh-agent.exe
3560	TieringEngineService.exe
2912	AgentService.exe
5088	vds.exe
1152	vssvc.exe
4360	wbengine.exe
2796	WmiApSrv.exe
60	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7748160892be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5f6c14096aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ef5c4196aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064c3774396aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002624994396aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc87d64196aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9fb0a4296aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd11864396aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe
1848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeAuditPrivilege	3004	fxssvc.exe
Token: SeRestorePrivilege	3560	TieringEngineService.exe
Token: SeManageVolumePrivilege	3560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2912	AgentService.exe
Token: SeBackupPrivilege	1152	vssvc.exe
Token: SeRestorePrivilege	1152	vssvc.exe
Token: SeAuditPrivilege	1152	vssvc.exe
Token: SeBackupPrivilege	4360	wbengine.exe
Token: SeRestorePrivilege	4360	wbengine.exe
Token: SeSecurityPrivilege	4360	wbengine.exe
Token: 33	60	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeDebugPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	3696	2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Token: SeDebugPrivilege	1848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4328	60	SearchIndexer.exe	110
PID 60 wrote to memory of 4328	60	SearchIndexer.exe	110
PID 60 wrote to memory of 3568	60	SearchIndexer.exe	111
PID 60 wrote to memory of 3568	60	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f5a087853453dfc3370931fa2ffa4899

SHA1
440357e7a10ed08d82d05357e04036b6495bfe91

SHA256
2ccc365ece3bcdd0a13521d41f7ad63adc0f639f29711f88ea18ceb94212a843

SHA512
4f946451d27994661b83d47f7590ab3955db0990344755d08310db825cc126dfa1b5e2ee398b2f3bc7a033ec994d5a70348169d385748db83a4b826c45f2e0ba

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9893f2d80bf4f3a8b8d49b0db4184991

SHA1
74e015ae895e94fdcd59455a3a3511c8d6ee12ae

SHA256
daf1633c7edd6323290ea08ed84eabc8df7202d990093b77eb13074c289bdcfa

SHA512
d67f2793e206e67910c645f802368bab00333ed9f206a1fb01140ff1d23bc962661769ac4e6b2e87701517dc179d0a91bc4b62fc7b7ba86b41f22243ad5645d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e5f1996b9dde0f8b00b9a3b631fbe462

SHA1
1ed6d85b048ca25834082f836e364d12cf9522f0

SHA256
18f935034774063b194b5ae8f47b31057c650a0c7f14241c37f9b946961f3ccf

SHA512
4a0a771c02f5342f0fc3b492c1f77f436689447339889b5ea62bb2ed2cc5aa55fec4275242cca42c87bdd5155d8cae830ae63def22d5c1cbf944e6054c5cdaa6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
14d6cf05f76fde78eb2442ea54655f4a

SHA1
15394733cd38d46a539b7098ef2d4f2240fde65f

SHA256
bf9534c238ffcbde7ae6671709bf8721d384f4a818694ed62cbf9633c453bf54

SHA512
769bc872459f8d99ffad3e1dfbd2bef8eaa12398829a20a6038e66532c4fa2929dac628870a25f506b852b87202d56ff4168a43ecdfb9bcc41e31623476412f1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fae95b98de057f94d72facc2cd1a971b

SHA1
ca34040d1bb6ee4678761fe75cdba1a59b5019f0

SHA256
4c12f0641b6bf272ef952884913f29dd734d1382c6d0ab4cef39da4510aa0234

SHA512
eacd7cf53f8d2ba4d4bf7bd2f939c613158ff60bce062fe9a280f36c7d638d82efac0b85a66c578fef7cf8f675b3cb3e57e6aa22b5f69ec5fa64a61c92515134

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4685b04beaad41bc689265a0bde2bc09

SHA1
62e47a7c9e2cddba184492e57e1b9683a9f72cb6

SHA256
37b96630d6165754b66326e3982c7885c4bbd5994a830e7343aa1b0d8e0d3fef

SHA512
7100085a047e77e696a6f47a5232256e109f76db83deb2cfcd49e431989337b37c83efc99009ca4df95b29dc1ed62d2c379806dcc8fad0b1c315fa9aa7f3ec8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
8ad8ad8a07f42e2f0354b11b17a16a19

SHA1
2c3b251b898cb8d50e42b10287596c85f7fd3ae1

SHA256
338cf32347976d5a3ab09d8091d33a7171423f4d857ccc34634403a24a15f0d9

SHA512
23d720bdaf87e2b37ef6b348920dfa4f9c32fce03feb574dd221f60ed36936401ceb5e4f130283da03c3f58430dcf235bf6118a7a6e8aaa61bc7eb1fd5354db2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9bdc4abd834aa35a5f9c9abded68f3d3

SHA1
5bb5f96f6751828d9dc0f513d02623270547613a

SHA256
1c8b73078a29f2cc5235cdddced8e17d1dc70dac999ad15cb54f0e564b69ca63

SHA512
c4cd1060f59730d69d2e5428ad9dfb2063162dcd38a62b0b62c844682a91dcf0433b38e332bd4333a93db68ed502d6849226f78ab4b94fffbe9e1cc145f48908

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
426f72bd22448d86ca596708dba47262

SHA1
5d80e04e5cf766a7c5f0e4ccfcace185f91e468e

SHA256
4d7764bae908f35407d83ab17fbb31e5f1862e419cb552b8e51bf10f905a5422

SHA512
f3fe28d1e14c5ece9a826931d998432b02bfdeb4f036f9831482269f1983889c836da1dedb095eb1de0a6904526de5238c8c123f62419aa799e75cd5b7f9f5ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f6ceb0cc49a91f8c85814aaceb08043

SHA1
2d7175a6bbb5e9880413f96f2acaf9ff6a1e817d

SHA256
7e4b56dbee9a6ac69db8a1a363b563a8a9aeb8580332abbb56ac8db1c693a05d

SHA512
ab64df6e39dd3ca13cd0ad0523813320563d7568ac2be353d3b445e35cd9f693717d61b51523c0f73390eb35ea391585859164cd31e02e0b819a6086b67ead21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ea8864276ee4df09c4036de3c0d72d6b

SHA1
e36d3f358d4c8225168d00e6733d6b666f249478

SHA256
08d11d2300962aa00fbcd97e2b0bef1eb20603ac14228f59c602ccd255054352

SHA512
b8c718f3b25a452b17b091f7ec6ed8a22fd4978af0e9bf173ed8e26f42d7ca53e50fef4d5873e0347561194c80caee4ef83ca670c6c41af23b0c9b9999107d2b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ede39982e5c0f071d24955de69fcfbd5

SHA1
26ef05fe36738e0125aff900f0f9f857304f50c9

SHA256
6f0de0864ceb05a7b020cb628e20b66ea83657688f1610572924afd80bb94316

SHA512
a556b4111034b721d303b0cd5dd2f366e66a6e3c99a92e83248d6833bdc01f28b0300540c63c5c8e9feab1a69de3e90b30bfa228b87425652b1963412c949285

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8c745d8c443837a5f9972d86859a51b0

SHA1
558106f6ae3dca9d563f8d5318f3ee13ff426db2

SHA256
a025f94dfdd384d410f7ed7952652acbed97ec8a747114398807908b87465c26

SHA512
38823ce27a98de2d3d31ea12b4c98c22cd93a233eb7c35d8306c7464c6d1f814c07b2b4b0095040269f8308892474c0502b252f966b35808cca20d4433b07d70

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0b6b177231d30ea163d3b9f1edeafe59

SHA1
e4838f45a4111925f7abd5c16778a84c4055bc2b

SHA256
d64f17d3f3027fdd5145d172d09a2cc87eb57a69c0a7a59bb146845fa8eb6b2a

SHA512
e6cb22c7bd65cf5cf1f944cf82a08839a4c1c5f15db58425b8f6df8904d12852ca8b2eb5be1b241e30006426d20544a9d64e9406cc7ef56c2a07d6986970c277

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2b577cd5e2a70762ae3e33af541874ce

SHA1
d4af57980c9dd623357533f68fe4090a66ed9ca3

SHA256
35aba6b6d037fbbf092a2c39d258e8401a287b4c27e4d5cd81592f224ab052b6

SHA512
8a21a72b4698cce2bfbb87e76d6be604381eedd7ba62749eca8ad3a1d08e14ef76bfcdcec18256e190ea378a957b1edaba71bf80117d25264f51b5c825f2a8ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
04d0ecbaa06e3dabd02516e124c8ef52

SHA1
a88e177a163dfa3fdb080855923a510db674d576

SHA256
745a2fdb4a33e8b0973af7efd7cec0d12577b75fec4c2d0c65f340ed9fedcb42

SHA512
3a0213a3570d338f1e88af3e542d897aa6bf6bf1287e7d76df3b4befe70e5b6ba522e301e43ba4dd2edd9a6d8453041d0163c771a641eeb9c4d3f332f3b8d2e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ce23647e1fea5607089d2d949a325c22

SHA1
5281860904a9d3686be1daefe69852df3ef798a6

SHA256
ac8954233dc0dc35bab12ea0e2b3fae355ea8a81e265df974f87d0738397d669

SHA512
56d1b2b71a7ebff96f068d4ec8c5a8e40407131a0f735f39dea1c90a72aa2062cd93cd5fe3313b80ab521ea167bd748c06b5e167f36fb19dfb6f3e191b61c5cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2f17de154c9db5f9606a0d9ff820de07

SHA1
03de0158c97c5d5b27be1cb780d0208536e39b00

SHA256
8e4f89b4fac94ed1538659b625b310cf0db4e8ff96e0679f26979b5a8a55df73

SHA512
626ab8d69cef57cc756fc025e729bb30fc5f0bfd5c75fa4f7ef21120764dc77d4d8ac7b33c62554f2eba6e4b256ac4ca35c417a4c2980fbf4aa7a5573ffb673e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b7398cdc370012353c95824f6e88bba9

SHA1
52d2805be5629b4e229e5cc2691f28fd22c3d59f

SHA256
3b17a8ab64dbe593d7ab2e160dddca8faf72105c703cd933e398b029ace2d50c

SHA512
4376ca098b0a97bdd0de2c18a2e8c9901e665c173b6413eadda550733ac9f4b7f4abfad6b57168ab1dc3167806c3090bcaf62ed1d7ff00774765ad87f6e0d1eb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6532aa232008bb28b92d43908f8e9e66

SHA1
6f35575f39563fab079e3e49b2ea373416d753db

SHA256
00e1bd62e2b1224e49e566a9d85b662bdf75f0f413e7195849bd781be0c8a208

SHA512
7211a84d8c77e29a22cc0f186c613d5f68848d9b698eda3c6f02c128b649687c089231c8af350a5bbb10abcfcf54006200ddc82a1faee3d78f8f1893d3bfd7b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9ae49ad41261cb42df645daf34f77084

SHA1
2a9ae41e85ed7e22453e8f673600549f82ba90f3

SHA256
ab2eb47703604200ac4b4a1691180fed7a10062671e4ce512b3cb125a0019db9

SHA512
14e370ea29ccf15c48d1519ae1307064f58de3f2f72862ec978814bece49e546cf01a4b96ee1b8104d372eb9f8dce93a07b8212feeb3a8c02879ecfac674039c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cb9d04254f3df77c6cc2efb625243724

SHA1
b0aba93d0488c4a91d4d8fe79e01c964445767de

SHA256
efc96c87ae5253242cf10f1a5526d73d969cb52820bab3ef537f03b693dc0242

SHA512
eac587db459f4df8f77700047368b2bd3cb6c10ea5edef78d159f353c739438493c47ce25fa2481273dbe45741f343321e2e7bb8e35b1aa708ba7017b344731f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
798c91d04f01c503c50a7fb251cb4b69

SHA1
477b01be162ef47d2c2e20d92c7f2e53482254cd

SHA256
017143c38811b4a7b9c252ef4b5c72836fb56d29092ac6eec67efc1ea4de4826

SHA512
bbf74d4b77767fd20f8f597d43279d74e26a80847d9447634f7de0946975a555ea1ffd409df28f1cac608845cb9ed87b744dc5531c74ac09d467fa41ee547f13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
12221d8240f032bb196e41e7c8f33b39

SHA1
254bfe99ef23bf0b23a724981eca9b5f9be204c7

SHA256
389321bc1a1a0f9976b5290802bd7c44ff39ceb69fc79fbdc89c3e40c2581674

SHA512
42072134f5da1141bbfa89c8db2b0f6d4f0ec007c37d27b66e78c60de1ba287150a1e05274ab88c791ccdf6f838cdaf9c53d03e576f1970578f5a11934441ef4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
442e1f08fb76d60f416c31866f21f85e

SHA1
46b9d44851318599d0da2bf3e3b3200d009b537b

SHA256
7cee46e8a1d296226636f3aea4f90a01fbed27c1b846f56daf364b71e89e3875

SHA512
1dd5ea800e6831cfe2458da220f1ca426b966d95d32744f64cb3991937167f20ea4e98d630802755de08b452d80cb53d2721589a78a9eb23213c355a2e2128d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
05e3680d9945a74b391aafaf247ccfd7

SHA1
9f4bd0e0f2bf63bbde186b6e099c0d1b7af36810

SHA256
5f3056e8e9883a45461ac4af1580a8af0279f899a435fd6b7c845dc6b972130c

SHA512
2062c4b0d3f0244eef8bfa4b4798f5107ec1b0819c3730b0b0de26b095b8dafa03ba09400acf2c7592d094ede3a721c9e696fffda577ba2a6eb2b65e54c06a5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6bd8019e0b8306ae171b291fb0b79cbe

SHA1
93adf2a50fc6eef3698d5cab4898d02e9864f830

SHA256
afbff2b314dba3e525c81f8c5c90d971f73a01f5511ac6422250c05225f8efc1

SHA512
8e0a5ac385459d81d862813271023aa493852f24511720124eeb0dc95360e01ed887a7fcdcaf66cde8566da71a8f7f168864fb26aa36c5b761ae6016cd8da214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ddaf7a00177a06cfa556ab409cb50ed8

SHA1
fbe5984b7eefd0eaca34befac7455bae7978d78e

SHA256
c7730c1e1f742c93e03cbc7bf37afd0e99f63e7388ec41ca51fe7095511913f5

SHA512
ee6d5b0f0a7b6810eab9b9f42d3d30c0204d24863a0424913cb85d6c05d48931acf3d6844df92f381325ae81072e16f8422bddcb36312619044a7271a0981b37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a219cda0590f54204236f4569140cbfe

SHA1
aad9f6c5d04bf256db834d725a32e766e933893d

SHA256
19c7fb1fa119256f388f7d99bb593d9eafc2becb71da4091ddbd4505194cb533

SHA512
93156e1c3235a7b9ea924f6301320f13a19debe17c3acef249a47517e582e5e573da0d3402331680ab5b594883475ff91b017fd43be04c827298834559d5e438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
963034f29bb9320b73d0241ccc4a139e

SHA1
039227ad97d998c577be4ea5b70f57a3a6e7eadb

SHA256
beefd761b885cf7234e28cddb23db22232bf5a07fb25604e229d4dc1be0c256f

SHA512
8b6fc0b44ba07dfc6eea80e80e47d5b20c700970fbbee20c41e9059457bfd5852ded6f3dd35b13c8347993cc08f9911f27c45da8eaa4b32b2fdc8947945b66d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f48476f6d472d3ef276e76e97240893e

SHA1
03305ae115fc51782d15bfb934658741bb2fc264

SHA256
e857473dfff96272a36335e4f962811886062c880993d03b9fb85a5af7dc82a7

SHA512
8db496c609934969912246902a46c374f7cdf30cb8144d67709631d9c6dddd238fac0f07273ddf859cb25071a5239d93a24a0941e674674d9894883f1f99b644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5fd8cfbf59bc343877d3cad7aab3b31f

SHA1
9f14c4a7fc1a41986437c69a52170e999341263a

SHA256
b5f4d77129f781482dbc09142cc0fc70fb8ed276abcefb7fbf5dea0372f27749

SHA512
b5a8348d156885cb8953a9f457bc02017b73c88c15e38bd3f7176e719b9da6d7d2aa1444765900bcedde5c0d9a8bdfd353b0259997bff7ff7a88ee89cfa123d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3ca12b5f9affffbf82d68953042f95a9

SHA1
054ba423584b4bd787c6973a3957c101501c8703

SHA256
ba54b7fc693a4c011ccacfced2e9dc80033ae263d8b0a76e1dee0ee5d9013ed3

SHA512
7b517ee196a159f5201805be0aef5cdbdca0be0a30621c32ddbaf4dd0759d7ed40056008e340781236c3c6efaabb873638da6cbd50d176105457022990886949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
681b01b554922d720d90126b93578199

SHA1
eaa74d697477722cb7bfad52ccc1da602d523fa0

SHA256
6fb5a19f62b32c16bd26498e8182784952e510cd46170cd8a3a71b5ba267e8ff

SHA512
64227b571a88075af9d7f1e3df8a8ce9a5e453c3bcf11922cedb07d07762d1a1741e089182db8395820091d362bf578c3318fe3f6838f61a84655265af6318f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
ddc4fe306be4b444291e6189b355bcf6

SHA1
54fee111280c9bb550216e958cde5b39a8420f4a

SHA256
0d9a25907863ddd1bd293bad67fb2f0e7fecc495af33bbf83dd3124ccf088684

SHA512
55032863a1fe4fe00db1ed7e2efb188e5c23be1ce6451e7de68959a0a5a65e76ce09826bc36b254d19b40ac6267addad05066e52fc9fbaddefd147c90e4df507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a12513f77434c8ff949a47a88100701e

SHA1
469082995b2f3c4206cf7eb4a0e137c61e4197ae

SHA256
b5b433967f8b527233a9927ec0b5df63a9492a00579ac557212b60b82c632814

SHA512
5e8cffc5d9e9e79c1955e1d84e16b06cef2a5337ea3490932d65f4899dcaa742d7c994e3c01ecae2ebe89e995673d98ebd3a696367186c3b91164b371b046374

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cbc8bb8a205a861b0dc47e025d35475d

SHA1
bfc7dadf1bd83e27e17b4b8ded36e08e0cbc2ec1

SHA256
0e9fe51548c44e87a81a699a1b90ab98d4eb71c27e1049abb440f107cfb7f419

SHA512
9e61f6c245e13cfc0bdacaabd3ad81ea0a9d52eaf4cf5bff4a0a31165e97e7d08dd7b367dbe0a1437b8043d4076e2d8cffafa33e84202315f68107a42cbcd9ab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a5f2ef099994071c1722db737e328ce5

SHA1
54213a910ebe355502d047a1001c7e25631c4b7f

SHA256
e64d27b55b1b9615c020f9d69fd6f4624eec0843d7ab6a770a7fc957e04fda3d

SHA512
72ff266eceb27dbc60f62f4c5f42eadebf056ea9bc6ce79a3bf822405c6af21a2b71966b18d67ab583ff9e19cb73afdb47ad80655084678acb0ada24f78d9c48

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
82bd025ebb8e5a2cf1522ca532facd4b

SHA1
48f8876d8e7ad910b3944b639f71be17efa403f4

SHA256
4ca5820522751985ce9d88da41ea5592aa058ff1ba8057e45a716ad876dd03d4

SHA512
79c6cd5ba96ac6cd02f82ddf9fa4f614e9cf5b7fbb870924118a9b71c55d1502dba82744699a719d3dbbead89be9f95604f0f0773f25fd1c3563675e3ae623de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a6cd7200c10f67b733e73aa0b7ef1e50

SHA1
2288d9b2a103bca985bfbb6a88023b2cee7f951e

SHA256
b7e24feeef441ed1578c460371e0bba29cb8b866d9f8afd3e4e93fb32fa8caf6

SHA512
a8783e0eccd0f63d26d3263bea2b3b24f1ff652af8400c37e13d25986eadc4ac728a9a6d826c5520fadcaa09e0d65883eef3da9697d1c5afc3e430e4c1543b0f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ce313eb7c1a873918b1626cb030b1208

SHA1
c030398dfe04028f25ce17cf9b348e154d62cb2c

SHA256
ba50a34e8ab25b2722c641d4cf593ea584ba22f8dd2ae5a49ed233fa4f0ae5a7

SHA512
1df9233651a0681c097a51ecd520408f91440ee5d40abfc67f6fa48ed5806096784065a71fec1f4478a71e22dfb505dbae3613640725f5e31e7078b8e3271a67

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0a5a997a4678d28dbfc535f03eb714b3

SHA1
6a3565fee51921df96b2d281a39932f13ff7a01b

SHA256
27cd92555d1dab1636ebfbbd8646a7598faf53f914d3325466fdec1f53c80947

SHA512
42f5446c295e302e997eda4cca10fbcf411c3c6deca275db2c9f0fac9cf6ecb45f6191944aac8f4bd5dfec1f4664b8a8ff2b6662b0c1f33fcf1626e78389b261

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0109910e29d029a4c05174a06342e1ca

SHA1
d118f72029c0924585504b595cc3ff60cd5c9992

SHA256
248b555cf0ec9afe0779257641a865dbfe36209dacf3c44ebd76d7f127aa49d0

SHA512
ff55d958fd7583f9a85b4ace2a6896b88b4940dd3723eb9db4ead3c01c1923786e316f6c3c42005c21f6baf5af2c7fee930fd334ef602a7d747231321b448d71

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1a853352eb03b4ff2d98e3838e4310c3

SHA1
1c50aeb4c3aa51f9b547e10ec13543f5c66a113f

SHA256
08d9a43253231271092d261e9bc887ae0dc3b828f442ab1de21d27754b62031d

SHA512
f1bfea3a1ef1af3ef4029fc87ea0ac5bf359f0dbcd0cca5e4e4ea6b9becf794e8c9a1f6ba4833099523fbdd53de0a592c3071654c895e5ca2cfaf55fc9bcf627

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c641ef3c6c0212d6a2991693aa118dd3

SHA1
bb0f4c07bb60f6a59b7e4266b53b817a89ff2c9f

SHA256
52383bb626eb14da7a0e363c47c1339ad2a1d5b4e820da71425d714aee263765

SHA512
9bf6433082cc0f7893ec9f51d852e3d1844bd5a1f6567062327fdd2dbf6b7832d7df71b14ec8572fc97dd59938b8fa5cf84f0b87f0fe203630a9fb15fed4f15b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c8bed33d6438301878afd73358fcc75a

SHA1
4767e6a2497c9dcbe543950fdb7879c1268751f0

SHA256
d2df93d9b1aa8a48ec7d71594a8e8f01be6da75f807f7cd5fdc8eaa91187813d

SHA512
200f7b675e949e97226335d8668e2a16c6a7c592d421d8796505d9ff0ac0fa8a9d9da4972a7078970ba194bbfc2c85f5b858d2efa210b2574f45a6cd034b32c6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
769764177dd34dc25adea767715fa888

SHA1
582d53f444f7f1850a95214439353a86f9dbf831

SHA256
56dca6519249727541664f353f9f92eeeb3bec9e3d69f1d77ae0c1c79c819dab

SHA512
c2b3e83a61fdf11d9ba62403e2f81623d8d82ee2e98de4d91586cbbed2bb2d0491e0d66bea839f1534ca15f02bb50d80abc52367892d1ead9ffd1fbf4ce3b437

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b3251f98231725fe109b205870ed964

SHA1
a00185aa8ed389eb4a63aa334ab586768bc31b35

SHA256
9488d5795046b7d6c276a53065698872a835927f502d99404347eec078113344

SHA512
13a8cb6d6229331dd34345da8594e42c7fa57bfa45845d16cc1260580bc35de83559325b11e000baa0354ef9d96c79dd7f465920514e09ed7f827de4fc91503b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ea3d1b5d443eb4ad25622607484276e7

SHA1
259c65619de39a24479ef367b08316fa744a5f5d

SHA256
4e5a9c536ef4242d3299cd213808348e8c0d93d67cb2d98e13beb503788fcd74

SHA512
685548e9b0d13cbe8dd4fd3ada71092e4b745f80e010755bee28764a234e830cef525a6259639a206e07ed697145488fbef12204cf8adcb511d61e6d922f9cb3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0c38d87a8c8ba05dcc289b62589af2d2

SHA1
dc3d9412b541f2e5200e42026ee1eca713d67998

SHA256
a952bb7898f8e1afc1bbc57d1547c050535381a802b5eccd8290196ad8e2a5c9

SHA512
70cb1c46bab3992e6dc92dbc61ac0379285d8bbebd71bb8caec2d9a2598e1aecd2cbc53a01373b41b27292fde4254dbd5a59585028d598ba0a1e6e7efcfec845

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3352692e8cbeb9fa64cce626f3aa7f07

SHA1
68caed4bd370df6c058cdbd5a742129a080c992d

SHA256
52d34512a7450e8c534dfd6da2f173c1a8f65d43c5c7ece82e5bdd421d19f758

SHA512
032d9d689e56d5aa8772da93a9323634791ca2d847fc6912b988de944db98fcbf2a1ea821e00228e46b342f097b886afc79e85ec97d99c69e4fe4d44e52fb882

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7bb206bf3e9ec5a52054a33fb8906a9d

SHA1
b0c6d8c06a50497f4d5d42159f04f45b624a41ed

SHA256
726b8fd8aef99015cdbd4df227c00c9b0432c59805fe5ee39d7ae68a9d08afd6

SHA512
cb35b429f060914a7a0ea9fd62221d529515c65dbb299ca72c5208c785bd2d6f9cec6cecff8c09a07b0d1816a76de93f8888cd4f755906e66a374cc37e08415a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a44de9aa437d17a711530d8d5caefced

SHA1
87226afd341c349e75f92ec2c65b8d7932a95833

SHA256
5e2774f519b5e4e5231a1b84060e426693776034a3ded900a88b392fef844e2a

SHA512
c313852f8ab7c259835ccd462d49314bece329a01f746c5238577ed6926b5d1576cb4dd932d832e308e4177041190e77ca92fc6730759bc0b112ffa865e7555c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
44d7f681634ad2548998c82141b07c46

SHA1
6d337819a6a6bb3efa159507e251b8cb065eea17

SHA256
ac08f80b6612c8e7b0f160c7cd4f6a42a912ebfdf58e84278915a1cd187365dd

SHA512
d6a73a93594375dffaed3044de60dbed0aba3b7297de03e526630b1aa7bc1c809178c6002848886e96fb9e6b50d7d37efb0447f1a11560ab38e3062d28f6f930

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5a2abba2ec0f2e59f55f7ee9d55d3b53

SHA1
3f3b42cfe98c29da71539a6b57c2a74a8ced655a

SHA256
504d5588dca0317e9adbcf2da0149cd052b8b269d7072ddaccd7a52d11342839

SHA512
c4193f086d960cef811821bf0e29704334fc6adc8586c7e9d37c30de6a46ab6e52f68cd37d457dec6eb3a41e87307a957e4f06848b43b7463247ca8e26df9334

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f94948793fbaff49ff86ece1ac14a44

SHA1
09184a2cc5794124042f2e3f8bc93cde6ebc27fc

SHA256
a791e9978cdadd2ac7eb8cd97afc8e137dcd4ca09ad848d0bba911a27d37a59c

SHA512
9364c3420bf43dc05f0010cb1e1a5e89f4051d81b56331ad5a9a915db4768e9280ebcd46ed86e0773979e41409a826cd80d343321f1a610a3b7e7cb49d64e157

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d8f2a22406c517628f43ac4f86fc508b

SHA1
8bc4bcd9734b118104b6446969a5f5b95de9f2f0

SHA256
4fbe8c2a23ace474a5cd266fe6bf06d21e4237df433492276aa64b68441c9ffa

SHA512
64e1df0d6201f911303415afb1eec4ea0e895643f3e3cabb16a7449842253dc9ba95c12d39e3484d649d9cd04009050fd853a6aa337eba6b486d204a77e06a5e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
996028629e7979a334bcb0ec9dbbc8ce

SHA1
a4df403766cfcdbeb7a9203ffa2c27bf8f88717d

SHA256
810dd985166eb62ec1960f9438ae24341420111bcd5456cb754c44d3885fb39f

SHA512
7c14caf0f94ce2d7ff18c63b32791233db5f5b93985ce1178fea45f908c3a6c2322b5d9bc7be8cf01285e2618c3eefbef659c70d564d52e7fcad6d216bd2c3a0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8c4b7eafb587fd2475033378fae59872

SHA1
d06b387632cedbdf3949608e2f249daa4bf0ed49

SHA256
0919cc6c9cf406e0d97278d91e0a9bf7ff4a5938f840abed0cb7b195b060ad62

SHA512
00b3d7bb9f17e7d210a9d4d596b7054a11e9bf85a1c0697f2543437ce6841011d7607097c7da20cf9e6d3accba72381b799059f52a2794fd93eb0a3b1f023c72

Download Submit
memory/60-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/60-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/552-162-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1040-112-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1040-106-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/1040-100-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/1152-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1772-142-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1772-448-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1848-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1848-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1848-111-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1848-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2044-295-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2044-70-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2796-167-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2796-451-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2912-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3004-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3004-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3180-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3180-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3180-55-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3180-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3180-66-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3560-171-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3604-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3604-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-146-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3696-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3696-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3696-82-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3696-3-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3960-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3960-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4204-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4204-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4204-131-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4204-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4208-447-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4208-119-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4244-113-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4360-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4740-108-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4740-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4800-347-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4800-74-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4800-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4800-80-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4980-89-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4980-97-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4980-95-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4980-381-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5088-172-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download