6f3956ec48fef99afdc662515a432fc0a2c59c938c733269c61af5840575a38a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Size

712KB
MD5

de61684a183bdbcbd90114d81edab03d
SHA1

924913c0b54c1acbb9bd06d15a5003617e344c30
SHA256

6f3956ec48fef99afdc662515a432fc0a2c59c938c733269c61af5840575a38a
SHA512

6c30ae3751a3810c1604bb95f81d51b4cc13a2ccb4142e58c9148355bad79547111772557504642ff646304760aabdfc294e68eb058f4e7d344ef6575040010d
SSDEEP

12288:ltOw6BaV/bxXyGH7XR2CAwEQki1I7wwY8DMkw5V7iP3sOZ9jDH3kTKE/aoJut8od:P6BgF3B7zPkcowwtdwKzDXkDNJ4D2k

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2432	alg.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
4840	fxssvc.exe
2340	elevation_service.exe
2956	elevation_service.exe
3396	maintenanceservice.exe
3796	msdtc.exe
432	OSE.EXE
1892	PerceptionSimulationService.exe
760	perfhost.exe
4564	locator.exe
3136	SensorDataService.exe
4028	snmptrap.exe
1608	spectrum.exe
1228	ssh-agent.exe
1988	TieringEngineService.exe
4360	AgentService.exe
1596	vds.exe
3760	vssvc.exe
1700	wbengine.exe
1936	WmiApSrv.exe
3580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3e9a55ce703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007a37e146699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a0ca8136699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d0643146699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3c947146699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6ec16186699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f35a1186699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091afee146699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050aba5136699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
1032	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeAuditPrivilege	4840	fxssvc.exe
Token: SeRestorePrivilege	1988	TieringEngineService.exe
Token: SeManageVolumePrivilege	1988	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4360	AgentService.exe
Token: SeBackupPrivilege	3760	vssvc.exe
Token: SeRestorePrivilege	3760	vssvc.exe
Token: SeAuditPrivilege	3760	vssvc.exe
Token: SeBackupPrivilege	1700	wbengine.exe
Token: SeRestorePrivilege	1700	wbengine.exe
Token: SeSecurityPrivilege	1700	wbengine.exe
Token: 33	3580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeDebugPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeDebugPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeDebugPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeDebugPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeDebugPrivilege	2040	2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
Token: SeDebugPrivilege	1032	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3580 wrote to memory of 464	3580	SearchIndexer.exe	SearchProtocolHost.exe
PID 3580 wrote to memory of 464	3580	SearchIndexer.exe	SearchProtocolHost.exe
PID 3580 wrote to memory of 1020	3580	SearchIndexer.exe	SearchFilterHost.exe
PID 3580 wrote to memory of 1020	3580	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_de61684a183bdbcbd90114d81edab03d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3796

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:464

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ea58ea6641ec71e2e915f2d31a785519

SHA1
1f85701da0512035b954302a759fde64623b9121

SHA256
87916fbefb7bd32fe3d92238a2c4fa4a07b2ee5da78eca998d19db5f052e6264

SHA512
667a3ac50e4050a828f83bcedbf1b5b78111812810b71a3dfff8efdeb02c1dcb16d6e3c73d1d3486be32317f0f24cc472d2cf546766e2778f7de0e58ae58b3fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e9c1c6e524e39177c7647270a85bdbe4

SHA1
86f43efc0445e428f7a3bb188dd1b2acf158a03d

SHA256
a301e80f34db96f052bdee5562a411eda5f68aea0670e93593cde6f30aa6d86c

SHA512
5cc9c7ce5c9f44c268cc91369e80970246f33294b0baca3d75f6d4832abd27d4cea941234b77e4dc720edc93215d79fc67b1628c01d2c500c883d0b96d533f78

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
82c3cb12374d095e97e3e59addf27c8b

SHA1
2eda87a4382ca2ba4d747c4736118c6c22af0631

SHA256
6cfaa01a1498355510c87d50bcd79d043f863f8cfc6cdbb116213b222163dca0

SHA512
0d2a5eab59f124e6c6960c75f1cd3021e2a91d09857feb7a9c0c89ba16d09b60c0bd63e37a678eed5d84601f6c588ae37480a6b50d111c133b30cd5804eae400

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6dfb5bc450f75672f21f032f0495eccf

SHA1
8a1f7b54f7ab4e169f7604319c47e72f6fb0eeb6

SHA256
1327fb01f3e5cc6305073ab75efebaa876a8fa63e503b00c1a9f0c40e8e0d08f

SHA512
7a689ea6d4de8d3aaaabb5ddb407325e2cad11c31f98ac1b5c499bac3b018d2ca8aba1e249c63a04d80df2134003b0a72aa698e98a2370e379fe5d8307544a53

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
84303570c036c72fdfa49843672767d3

SHA1
78fb6a428d87ca257607ab4db4282dd762d32993

SHA256
f5e4764654e1e582c2b9892b7d8bc106bb291c9a98dff85ebb9902116ebb5a4e

SHA512
8778b49e1d77168a407f2e0cec0e5bb546d195480353c44fd7d116bb05ea442fed760d298f78332473a63b2a7432002d8a2018ea063e9fc88c8b67efd7e25199

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6326397769027dcdcc45737be05fe016

SHA1
572d4a049c77c39421d11efb8a5e62b9a1bf1ca9

SHA256
7ec1d4425973265853ee1b8339988aee916ea10d07af628517f59763e6cc6aec

SHA512
60a411e7e5827af74feec0a72899234c7908166d386e2a8a912de760ab07e26653cac15e578c64d171496dff2a49fc2e23339399399dee77c63fca91289f5023

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e893c70060b31bf882f1cf4b8f6653a3

SHA1
c217062100fccc8d587629d261bad452cea7e1a4

SHA256
5ee2c6667aacc000102443281825dd0854025bc7d3e42a366e5a9be5a57b4ca6

SHA512
caf31b240bf465e335c4ea26d9fe8ada05bcda756bfbe4318b8f937fc49f52b809b46a994d2418305513642f9c19747e05097208832465486468625711e00b1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
36f96737f75d712e90beebeb32de2645

SHA1
2bb9d145177513031debd0e6eb0bff58315ed426

SHA256
28f9da7ea9781bcef0e0b51c5601ef5161a831794595e79ef65ade7f8717ada8

SHA512
27c28a13d7dd4e416233e83bbc134b3bbf194ced8ed69a9574158eb2b15fc3da4d8c8d444ad952794614b12326ae51d9fc6029ad6cf65d6b8017487d02d59bd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e5309645612ce781ee87fb98076943ac

SHA1
0bfe30f750a6636d03c0ccd16bd7ed98c2e064bb

SHA256
c4c3205f267c8040abf62bcc93250b862b68911acaa960a9dd69d2b1d6e4f47c

SHA512
a4fd1600f86ffd5d0597aee9da1ef8570c915cb2a3fb10f8dc269a5b2c539f05f163d5204b287ebca7df85ae99f0119ae8f2d95db4f47c9c7b0d48a620321656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3b6d73581efc10c8840edb2b3bf38927

SHA1
198c67348f9d992bf5aeb8d67f4d010714c320e3

SHA256
d0018e6a26688ace82bf906cb4f3aa4a48e97ebc284431d0efbbbf49970485e9

SHA512
111db18cb1d654bcad9cadfb4f3231ae9c0d18a2a9806ff4669c31b84321c5e03703c8e6f5d42ca47ba1331651124cd3f287bf45c40a9d2588b37183f8d178fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ceefbb881b5dccd26cb9b3e306c29985

SHA1
a1f8a8bec8d8a91e2fcd1613a0a742572026755a

SHA256
8bb4144b6c7d89383865d15085d05114c5a7131d658ed71547897b77f653a05c

SHA512
4fd7ede7c64bf8ed307a5618a33cc0d316f9b9fb573a23a726e6f5ad6bd2638ba6be32be561b0e883cbd41f9c7b5c08ee13b4d98c1d2e3cf7e8f70a6737b6641

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
59b67eca81c661c86ce2241274dc8734

SHA1
5eb9b4d32fa9f12d9ee2c1fd54b55a7506747acb

SHA256
e9413b78bfd86bdb5b116d5f50330e922499581166c95503b883a90aee71207f

SHA512
8e4f0cbafbbb39c6a09ecf23590828f5da761f035c5f258b5fae1e2196906cf2ccbbde222c244b8be029c4e0021cd8394849f97e59e9c70e25bf504e7916e221

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
352ed8bc06eec3a2fd661ecc1ed41c06

SHA1
f9f252cc01b970c749f20ff1c25c21a488e0746a

SHA256
30c68c51b61499bae751c4cb6e05681678d8f1160667b1d5ddd9f84c1da78231

SHA512
28a4696b75d82069a1b89c8b5028b5b83e1c4e47041753aa35004501308f84d0335057043137f53d28d88cb08320bcdc88689cae568406751ef6de2a5ed0e09b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3feff7dead6df3f435d506c8583134ab

SHA1
cd44e70f520f35270d24c9482b8db06a49586811

SHA256
664390b804b4fd268a604d32cfaf5ee669109cbbc77ebe0bd16dec7199582466

SHA512
8b950c6a4918554ed8d2bbef946fd480be0c4b40d43fd35d2bdb22fbb5fb65a63080aa96b75a6bacbadcc2df99966fc5a113f52cd704bb56571b638fcd6c17e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6530259d1bf0dd815ece5a2f9c4b3b19

SHA1
9bf8d547bb553b64bdd15dc824568f0248b8594c

SHA256
e9a6dfb3b6d4534b88850bdc5b79a43e45d868734d24d256b5497d37416ed007

SHA512
831372985c2369a92e6fe9884e1364d9a36c9ceb7017f47cdb73265841970284991989edd6e3dd10813fbae01fa32ab140ccb589a4deffe536d2540d6dc00506

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
45489fd5ca93d8363888cd931a2710b6

SHA1
e65a57576c12e8625ed9c3bd128f49335354ff25

SHA256
a8a0eb028bef48f8f7bf650992aef4cb616e43e6794a5fd33b78988abb9d8f6d

SHA512
9cab6af842497190292087faa74934a3fb570b7d4e643b579958a8823edd63908f500237211b6d149c5ef569cd92aa51ca934052809318906f4a870b7a87751f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f63ff8deef651ab128394c91a7f5d5fb

SHA1
7c8b0691f136c6ca7cb2f8dabb0d74f27bb46ac3

SHA256
7aac664d4fc8081c1cad1a12f95e4510d369f03440f8004b0e1c021ad2a21f6b

SHA512
9f176d088d0b34d2dae82a6d375ddc7825dfb752d3220250ed6dab9426406406c4aa55839aa2e0b1af1aa7e107c9c917b5d227c807a2f75b733bcde6b532d31d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
265cb5f70f116203ade461c502a44872

SHA1
2453ec20ca76ab130b72c48fbbf33e08f0ce81b2

SHA256
123f97bd30d04e0a8fb90dcc6de68dcd558ddab5aa1b72299ec9ee2eeef3605e

SHA512
d7373f35c810c1105c995b484719da1fbf07192f1c4336291a8c51404ec622273afa500826105b2ee48fba83761476e19a11052d7b83475a8acf269ace274930

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b4fc3c9298276f14c98c833c5839d900

SHA1
b4b0525ca7b2795616bcb89923e429e881e80fd2

SHA256
5c2b49efc3e4160d971c8cb1b8a0916105d87ac86b66c30abf7a68e80242bca0

SHA512
b26186558db14e7a0a5296708b0ceb836a7a3b91bef0ef671b35eaa8de58d4e4ccacd7b4701257a1cb6d89ebf363475786b3ef60388a142c07dfe2600ee48913

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
00053891057d5b2c5180734e295bc692

SHA1
6e8faf822bfaa2f172d0310749f1d3c7019a7c5e

SHA256
81e920f2b2114763f56bfbd3bac059291758461f26734b041b458b87b314d2a2

SHA512
367c1029b65718ddc8158730780fbfc689e26572c913766eebb9006701e9467f9ed838f37af245b8fdc2d6ad2356b1dc019742a28172db109f201c8881390362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
fbf39b774d35fd8ee41c11d351299828

SHA1
508b53f7dc9c349b27afb65e89ca5c4ca98e2dcc

SHA256
67a114fc921c330db01daa7846fc7cddbf20e8101a201a714caeccd0cb603aa5

SHA512
71173ebbd83c8142ffea1d9678354b3fe8340f182c0cd8f71557e42eca3208618ed371070c63e4696fe7576f28c05e1e565d1d0c5eab41efed1c4d3ec6b0845d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0f3917cbab57178c4c084649feaf4c26

SHA1
2cf48c053f5f4fe3769d27d55633d5e4b6dc81a5

SHA256
38928ee996bded24d9d1b0847b6b249119b537d403173c2e1f684436ec18281c

SHA512
a12268174291ae0d2cfdfa80d9688dc1eee5009532c14f69052e8fa9a61d855ef50372598c2108a0c1a11f9eebb8a0022ec7c29548d19bb2c8c9d32d5b9d13c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8cbda2ef71b3227e9ef8898fe565b033

SHA1
bfc8eab596e6b1b71bb7d541c9179cafbd9f58ef

SHA256
bec9cf29ff70ea02c6731526c9ca72d589ca76a57074aaff2fc583a32ec3b8a7

SHA512
3700f2211426c2b43879f0ec4010a846ba5a72cade5c4427d0ed4db1077acfe5b63748ffe53bf9a2c1938a26c1554bcbdacb6f5a1eacbc8223dd581eeb67a36c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3c5f63a4b36c98af17d1f803ea4cc0f3

SHA1
93eb108f73dc14850a2d13f66669ce9717c0e607

SHA256
5464cfd6f2ee01de0fdfce1981ca80e89411606359b48f7e06d78daa75ab8918

SHA512
d52c0bc64d25a2e4e3bb8bbffeee4c373bb9c0b14525e008643e4bf4ec829f3b21e55a37eede4145254bd1a97f1dced02dedfc2feb42add679d7cacd72d3b1a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4377ced4d76408b82b190cc50419cf78

SHA1
cb2a8a5b32271be940759c56125022dadeacf9d1

SHA256
82afc6a55ba048e7a094ce4169871faff06e5eff27f4014886bfd45e6a5523fe

SHA512
9614e1c7306d522836abd63db50a28535b023ba99821b8bfc80a57ea7ec49fa5fd2e1ae2b972723104c6361ccbf855e68cd844db80c6adcc6dcacc319b410d88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8f66e58eee2af3c2325c12bf1863cfcd

SHA1
8981c617bd55a49f29c5c84d787073d82b2fe05c

SHA256
bef12b37e9434f3fe9075b502ca82c5dbe66ac846364dc0e034dc1d5a111d5aa

SHA512
7ec8725fb669d97efa46b393af709dc749cea73b2916e747079671b1d2fc51056b9daba5de11a2dd57dea1be1cbeb79ab4dab9bbaae66db8436ff4b6d01b8fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2389fc864fe824abcfa6d4a46b8808a8

SHA1
ae97e818820a107592fccfdb39442bebd8df899f

SHA256
861635846bafd78a4d52f413f53e51f2156b5363961970c4947f6d06a7402419

SHA512
0017af4f0450a0440a5e4fd4270e1212e0e268e4b95a2801d56d16cdbd816006ac4a6bdbbfe18bb3e0458882dbf15def5ac2d35ddb9fb89a4451866ccf00eb87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
795612a18d289ea06d59359cd5806e60

SHA1
ff6aab01ba676175b32d563a23da52d656fb346f

SHA256
22075cf1948b93f1c2a5b74689645a88c4c4f928c97016013e0ec05aa8ad880f

SHA512
6d8baf60c3139b5cb5d49525f09b6c1fbc179c1e55d943b65031ec6de077eedfea61af12ea02f45c2e51354280502603fa2862523751f691ee9e7ee27f289e44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3ab424e0ca10e608ce696f35e9a3e225

SHA1
b1feb68605d237cd3aac54262efc7a002aeb9100

SHA256
c5bb8c05260c1f58dca9c4bf98ba9b8f4c23a806e6a32793e2e4bf77d5d13875

SHA512
f835961f0ff968e99edc40d5f77f9e4f213927d790b754c6391b0f4570f6d6c352804e4c711ff26d68f1ae94bcc7167aa239cdc39da2e1b876b08d58cf56902f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0856448e2feb7bad1c91bd260f4e1067

SHA1
363d8f500be3d36c412cb302fbec2f25f54d1052

SHA256
d3b3b545a7b2aabcee307e8c8a9a8139b02690d50e9c1219a7f86289b3fa3350

SHA512
ccbfe79fa311c2a15e6f607955ba569174bd17ba06c173496f33c59fe228ad0b7bc39de499455e4e7fdc3af5b7f581b2d65a0703c2601a0e71b925232c35d607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
93e3055c113ae890344a52386a2ca789

SHA1
e26a858d25f2af62e04fd136a366a201fd5202b7

SHA256
368b227e2cc0edbae4067c494ffe8e1999e4f14451b980492af4ba6e57daf592

SHA512
373f4052edd040e35ee0b12dc024df0188e7a3d1370962eb764db02cf839e0774097f4254a977e72278e9982f7b5446c9abf3d029bbd8f3430f01aa7e2f3a93a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bcfe2745271fd7c0e170dfed8630aeda

SHA1
440fcb131dda1e7e8ee0ebb8df5717e43bd20c12

SHA256
31a6051fb6a3655000708d686f5dfe450ea7ef36c42e0d44b3f39e25ccbece84

SHA512
72bacf1d047686af5ff59fd097ab855b1f7adbd313a5d4a74f04f3ff3e8cdb09f4ca6075b5e340a61a77027afcaed495ee2d2a355c86120663883280432818f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a632bc0373f2447ca77db5b849821a8c

SHA1
f233df2bb5040b9775331f1a56c1a087d1aa3e60

SHA256
8c781ea2ed6e9b3ceed082939db432f696e59a029a03c6ed08061e642c862283

SHA512
77a697e8d4912c4e1f3fae87a5e67fe391cfe55f4db74b8f20f9dae2d41095bf2549f6fa4c5d5abd473e4943291afb97e295ab3ad444c60cabc042541ae756c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fcbb49f2d11c06a7b760ca76fe14801a

SHA1
f38031a99aaf95a1616597760aa4898f8d665093

SHA256
e221a59c3cfdb29db246a261142c2c5c064ac961d94c3aacd8f03e9bbf2381c0

SHA512
f82d335f5141191b77bdad844a7cf4b973242598f01bf481e2bebfd1c576b20f0e1f517a9057b9fa110f354db71bb78aa347c904d75d5a1a9da953f67c10503b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c555964eac3e8d622e8f0c32d2ec17a9

SHA1
6fb66636f441266bab07ddf5533bb9f1fab76dc4

SHA256
b604655ed9cdf6e21618fcd01b5f41b35853cbcbdd7942903e7bd07d081b5f30

SHA512
3b592f305ccc5d1dffbadca0d123a1d7352a65fe7ba3865446180e730adf2785c64146c95698ae9e8596dd0583531f706092bb2ff3e517a63c9acdf05c63cb2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6746fc32d869e75ca8118cfd170ddf62

SHA1
09347ca1e00a0d93554be4066b5f7efeab084ec3

SHA256
2f2cc903a5ae1086c0483a9ba2fd553bffbf47b50bd8ac4fd54eec35897fe0ec

SHA512
2fc85feb26dd51f55410fdc049654a78b1a44b62101c17cbf89c17766205be4378f11b8a668fbac72879ed7bde7e0ba44584307a0b700d429027ba05c2905081

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4b8560951f3b63acabe96fdc12c94748

SHA1
83c83adf5408b13346f7156e18a5308b782e32dd

SHA256
16a0b8600a307e0a9478f699eb8dc78f19dcabc21f3759eea601c4acbee1e110

SHA512
31b4a39d310cc7f785840cc31aa4567e0bb48f2cfa1d3bbe2c4c5eeb80ad5a1a8649341a02156e39e48c8fc813efa44ecfefa2bb86af05e8d7d240a2969f1ab8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
26e772dfef47a65a8c06a847783abacc

SHA1
faa29db19229c8eb69696df564995a36a1f17a40

SHA256
55cb024cc1b571048478523694517e8e972ac8d5405befd7911007b70e0f3269

SHA512
9772dbed4ecb6209a98b36169332ea83e157ef069bf37d6a8e579d9f965ef3ff3bf45e28bb4ffd81d6cd063e0506a529dbd39499c8988378dcc6379047224b1a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5bf93cd0db0326718fdcb71ea43e083c

SHA1
7e368f870aaaf6c79e56c18d0777b97204594ed5

SHA256
2bc646f141d7efe7b8f46afbfe4d31b79f342da522d8ef9ef7c7d77205b44541

SHA512
0d1fb48c34e05ae92b7e7a4aa6ecb83898bd30b95632f0a762e536a9de358465fd7c3d14c63c63d5b8ce95a946341d06a356312846108cac43cf8c507b37baac

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3f81a21ebe7f3d3d91d7645e8cbf8f5f

SHA1
cb0b1a8e102b4b251262ce852ab664cc346800a0

SHA256
bc9aa921e6f53a1e13a660cab338211d1a98271accafefac6a40440b17473be0

SHA512
c0d95d44d952e24ef5f1d743f215fe8d7d8da5a9ab0be725f731cd6b647bb531225efe66acbf20163ae33da69eb36c1ce8a47c5a4b1c05434ce337f40aa9296b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8376fde9177caaf3c7a6ccd76d859aa0

SHA1
dc0f02ab40f8e60ade5dfd48dc7a3ac241ad4cd7

SHA256
7e6c000beb76210d9aa3f5330a7a804b5d641482cb7a21ff090032d88a9fe3b3

SHA512
0fa754264a9f4860fd6e313db27864ffc5d7e4e3b0ff3c256110cb942ed80e98f773284de3a35cec7a9f77ccbaccb96458f997317f4a7753830732ef563b4f06

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
21695fceb857eaf3332b8323f4d92fed

SHA1
65bb43a64c4854a02a6557c2a8cb0f6c766c1c85

SHA256
55785b2db12ee09bea41444f92c8e00db170cb6be43193ba657d9283a30d0948

SHA512
8f64c928075e9049df5f442f756fa5f4e97a1949dcbc4ac5f62bf418d53e48405c8404a0c70b91e1cffea6c8cd6bf066a2b0f61aaede908aa8309376b624015c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6713dd1e51de3c63b0e1c20de3687f49

SHA1
72fced09b8e575989d44f278f0275cd7dd4e54ce

SHA256
5efb7f63652a68ac86a22d0c196be8508a61da569d7726fac4cf8867e4abe871

SHA512
ac0b2ea21b10772fe13f53a08a06d6029f9d6c260a15f5d41bcde0a8127c94b8e3bde8bd37c6fb09286234b65ce056b48ab09e15d17ef7b34379591c46e1ff9d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0da98d5bfe1e017d30fe9db4ed4ac853

SHA1
ec421ad1cd813ca1260b6f771279f38149499f92

SHA256
d9edd4de905d98140fd0aac925cdb4ab4fbf8e8f683165fdc26258d2595cf5bd

SHA512
ffe0324a5fa82612b40f50b61e0e4fd14e81c86830baec766b55af06c004ef0ec36262c1d1d07932c8120f086c976e9e7193fb566c5115ee894b1dc8d90c43e7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
24622dab86c8fe208e363ddc20febefe

SHA1
8863f8d13f4781152c4da0d9d341899d3ab5c3b7

SHA256
10c113e9c20ab058e200eb5cc86840ff109616fd3b2917cbf56ffae7d909128c

SHA512
5f8351dd16e4b164875244b40991e235508aeed915f8c785dfe30da0f2d6ee52238a5c849394bb53a4d3b98681269a566ff57e2bd9a86d9a4b7c77bd6c1f7900

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
740ab5a43d191de93f9bf6705626ac6e

SHA1
7e5fe836bff4fcab85511264838d652bbe7b190c

SHA256
c961525a1b5d19f87030526b47e8578ce15078b0cead76e47e409abef00e2ad5

SHA512
b3127565ea987e8eb6889a1f9afd9f90561d4adfed50068a0a5d9922f395467660a2485786ddb5d671df278044f73025782aae04136fafbb6f1ea07a6e7ddaf2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a73c1c775592f1ed1d8f96827824088d

SHA1
4a72a63bc897c180353d61d7c589d9161ab158bf

SHA256
fcbfaf24ad4696dddbdf9ab22615dfd903c3a0ef77d0d8a394a634f56e431fde

SHA512
b598e3bc4b6d5dba8a8e3e50fe689271a5050df6d589ece1a7dd3b83be615978799f4bec1b475960761816cc6620f8007297a64790696c824dd27840b9598cab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf724ae71a4ab7429efc5cc94048d5b4

SHA1
4871eb98493c9c4c1094d6f256f8e794c06853db

SHA256
1be0771a086b378b44722a1bdae5f1770aa9bc7de7ab6ff20b83c3c5dc99d287

SHA512
026e2ffbf8a1460fbf07f099164ce5264d6398544b104330204c7b44e25b573f0ffbc3e3573a6a65fae13c6fa4bc9fa0a24dd639d9c0fe078dbdc0629990ccd2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e49aea1d170f570f708db55388184610

SHA1
8ebee5308455d4de8b28bc6c698519fcd11bc788

SHA256
0f18bcd4b1736c1f76e3ba648dfd7ddd45f16f59aa6687eb8e90c0ed6ccdea80

SHA512
33ef5ed1c9a86acbe3689209fd2b8171f4cc958f2f3d0f0f823057f756bb5a0431fa844f598723ec04a36cb7c5404dcc780358a67415184b72893c42dc87cb20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8209cbbd480d1a161ae63a673edc4c15

SHA1
79c2d300954331c17ebc96fd5b7463292aa0549b

SHA256
f6fbec0a39cd9384db0c7f7943405ea5cb7692a5acaad011ee4136fcd052fa5f

SHA512
c41714deb184b96d3d42dc0ac95aa4408fe4bc042a3a35dfbbf49dd5dceb22c8a4fdd758c4bca895374d23adf022a201009bbae8778d5e823d7aa27326077423

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bc086736ca3246b087e2a702148e1edb

SHA1
9ec1d83d7426f1e2812ab580b7f87b9b4b70d980

SHA256
b67f0d66ed24ee0c331b7a2ffab6d4d1a5fadfa2a7a77f753e27eaaec43c4b09

SHA512
acfea24e4c39651cdd2c3cbc278bf981c5c05f05cc2975677176fbfc6ce2acbc31c6730ee097a6f655bd9719a8d475d55fa34fd502e53ed52ac55de96e2f2912

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
75dfe74b8b0dfc4baf477c18eff7ea7a

SHA1
ae307458f0a6d1c767ab9d1566b31d18f7c70aa8

SHA256
917e8cb496d4aa6aed9d3f3271bb539a1aa218b2a0aac66114df531c9f60dd6f

SHA512
be08b77f780962bb44069c246061a049ce3479d6dc268ad991bce35e116c23309b6e46740cb8ce37dd21609b5702c2bb76e9b30b2c58af17b18ed1de61f6c2a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6d3eee87cef925d8690710c403e6ed46

SHA1
2b407714a135504e93aaaa3e5e05d38fbaeb76a4

SHA256
7a00b8873f82fd7188af6c4653041dc53f6f81ccb857bb865f4b6cbcef88d905

SHA512
c7d2a03a71b0348aa021d92549631e4ec4b49d1d39c709e8625f2072c4648265b42faa6c309bf05657a941a2d9aed545836278661b69f0c75e6a1668a5fc34a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b8124cfe5455a1a9a84bca2019b61c17

SHA1
7120a1880fc2a61dc30cc3e96433743ae41183f5

SHA256
62392024cae82e6c579d5264aedff9842db1264a34e524334c6c3559538e1e74

SHA512
6a0c1d649c1239f4e81e215af1bc8bfee4cfa72c1918485c0bc1898d2211e79b0a6ab3b4282e22c24e3aee0f77cd0d3c2b6d7629bc31932588e6221058321ab2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1454085536a378102680a17baf14d6f4

SHA1
b1c12c05f381a1f3a6a2315c41d31128f83fae4e

SHA256
533e37310a0d0abaf93f0ac2d392d1a027ad0dfa98dab8461adfa579b81c1c70

SHA512
c731f62c4b49207bcd1aa60a995201ea7bfb81be29677eebc6568955fb4555c3b96b693874d7bfaaec0e25946775bc27815fb6713f08b4f6ac8fcf5fae3ce2ae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cb5b024bc6cbf20227ba39387f065395

SHA1
db8334b61d322430a95d56054e8cfe5daea3be40

SHA256
5f7de09fc8649aa7e814a53acc6da48e131e8233f9301ebeb2845263cc02bc24

SHA512
c6d1d18e290c5766abf8bdfcd632695fc24a0ecb9c2788cbedaa2bb13182408360e96313fd66344d8e4ef5b8dfe0be8597ae24ccf972a968c36e4c77c0b3a36d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
de7deb4eac62ba0fb5bc8333d3fb67c9

SHA1
8b179f915cfc17c7f0238c3e5bcd35172d2929d2

SHA256
bb1d9e5a832144d433f2c97800e59f72f1c0307c13447c6f534bac5d589e0f11

SHA512
28802e15b0d978d5fe7b94eaeb5647e934e0e1a61448402e2dececbe23f9defca05487dcab2f195a086cdd818c5b8277e2f05643f3199a3daf89964c851b0731

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1ca1bd7e198a828167f6f49422addf3a

SHA1
ac8d869cab0b5c76da8d384d51a59fbec4662f7a

SHA256
0c403ace3944ffc1a4d7f07e3c99d003956817c57ec23c6eb0438bce4bd9e1c4

SHA512
5d57179fa6cbaacfa83eeed173df1c4ce141d9fadecc8113007164b1ab27ea47c39ee9b3fd9f69a87f7c9cbb73a5282253c8654a9dd2da5e3f565d8cfcd61d68

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
46a344a8e0281cb0eeba8d4be9bfeb57

SHA1
67ade2c6af95cb8ce47b701ffedcf0f767bc9fa9

SHA256
dabab55380c502cfda2b747e9ee298469cd4d177697b020aa506f0581ed5ea90

SHA512
6383c3109accc4276d5d8ff833af509c1b735941be4555671ee3eea3b23fcab1f973820bf7025683a19dc072dd5f5f17ea5506bf2b1406ca93dcab8014825a27

Download Submit
memory/432-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/432-84-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/432-78-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/432-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/760-106-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/760-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/760-102-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/760-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1032-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1032-114-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1032-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1032-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1032-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1228-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1228-382-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1596-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1596-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1608-377-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1608-123-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1700-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1700-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1892-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1892-89-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1892-90-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1892-96-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1936-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1936-458-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1988-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1988-386-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2040-8-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2040-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2040-74-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2040-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2340-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2340-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2340-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2340-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2432-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2432-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2956-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2956-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2956-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2956-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3136-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3136-381-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3136-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3396-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3396-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3396-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3396-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3396-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3580-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3580-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3760-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3796-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3796-150-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4028-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4360-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4564-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4840-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4840-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download