a16d8df425fc9f22e36c8c3d385492172d2f821cc8861fd13ee27ea882012939

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Size

1.8MB
MD5

06cf2c3cf459bc6f1f6df8edf59ae281
SHA1

ddaf3df02caf5c302081eceb01926be29d48b1db
SHA256

a16d8df425fc9f22e36c8c3d385492172d2f821cc8861fd13ee27ea882012939
SHA512

db758a9a457ed3e4c9e4e9204b73435e0cd1172f355ab86e31424bbb2ddcb5fbe3ff06e8612cb1c1aad8204865a6fe1cea3d38a487186b0097258506bfbaca8a
SSDEEP

49152:BE19+ApwXk1QE1RzsEQPaxHNy6ZU6CENlc7dpJLrQWd:S93wXmoKa69CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4976	alg.exe
1476	DiagnosticsHub.StandardCollector.Service.exe
5028	fxssvc.exe
3572	elevation_service.exe
2132	elevation_service.exe
3808	maintenanceservice.exe
1172	msdtc.exe
396	OSE.EXE
1152	PerceptionSimulationService.exe
4380	perfhost.exe
3760	locator.exe
3208	SensorDataService.exe
3636	snmptrap.exe
2344	spectrum.exe
412	ssh-agent.exe
2992	TieringEngineService.exe
1512	AgentService.exe
60	vds.exe
4480	vssvc.exe
452	wbengine.exe
692	WmiApSrv.exe
4372	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\afacccc3bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008a40cac6999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a0ffbac6999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006177dbaa6999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ad21ead6999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a0e1aad6999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe

pid	process
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeAuditPrivilege	5028	fxssvc.exe
Token: SeRestorePrivilege	2992	TieringEngineService.exe
Token: SeManageVolumePrivilege	2992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1512	AgentService.exe
Token: SeBackupPrivilege	4480	vssvc.exe
Token: SeRestorePrivilege	4480	vssvc.exe
Token: SeAuditPrivilege	4480	vssvc.exe
Token: SeBackupPrivilege	452	wbengine.exe
Token: SeRestorePrivilege	452	wbengine.exe
Token: SeSecurityPrivilege	452	wbengine.exe
Token: 33	4372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeDebugPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeDebugPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeDebugPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeDebugPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeDebugPrivilege	2996	2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4372 wrote to memory of 2632	4372	SearchIndexer.exe	SearchProtocolHost.exe
PID 4372 wrote to memory of 2632	4372	SearchIndexer.exe	SearchProtocolHost.exe
PID 4372 wrote to memory of 3544	4372	SearchIndexer.exe	SearchFilterHost.exe
PID 4372 wrote to memory of 3544	4372	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_06cf2c3cf459bc6f1f6df8edf59ae281_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0be122c0744e1b6f554b3e769f694113

SHA1
176d2cf0c634ab1550939f4c51cf841cecd5c8b9

SHA256
74b3f49084d230aa8aba965ccfae3146e678201eb0426b6639d2769e639232c3

SHA512
f5427d81ce8acbb856f2ddf41c6fcf50249b5ccac1c9d819e4687cb8a0fb11334536c20b4a114fed61e8e3564cfbe253ec6d93fbb58c92ef690e281fff9734e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
1d8f16059a090e5c861564d31ca2f379

SHA1
fc147bcd93c53d4f24a9ff889eff4525b929ab7e

SHA256
79af7fd276fac1288f500e3ad62f786ab324b37072bdc5b3ef11a2666745245a

SHA512
b256c4a20b443d411067353dc413e7794c519444ae5135f175dba0771c1ae8ea7541085adcce777c88f07cbecff15306e995125294add5593302a100722262c8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
188c2ebb81d5d9af71113c9947b6414d

SHA1
1d9a76bb73983060b454b645ea4c95e037e84eed

SHA256
cac1b69fd988ed9cb70dcb54e52c8f60fa59e3e749e987c1523723ca3d12a5ab

SHA512
2ac0dbaa93bf7bfc53a94ae918e7970aee48314323fecd237ba72ee87fd0198b687e54cd191681cbf5400fa7dfafd3baa345c28966b9d45cd634fc433f98c826

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
53f9306b952d27fa3a0db26b61b32a78

SHA1
4df1b39f9947bcf206c24c7d836e9195d9cff802

SHA256
00cea2b424ea3ef285f36ff3be29ce4acde173e7a4215606b16d3b4088bfb656

SHA512
f06a8d4857fe66ba7cdf5367dea10e9452f866e58db1482b4791549c201fabac0ed7eac50334e6d2860bab3fd4fb8119bce07607b9947bae8e4f958b5bd26b9d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
63d6c4d728ae1974cf7c6dea54d8742f

SHA1
f80e79c81f040b215247297e64766670ca5d9f70

SHA256
ae01bf5dc56f89102b298b3ad0feb2c9ee77b2a9c65fe418b752109e1299df6e

SHA512
a45ba55ad35d3cf938b383af5a8e779945f1970152970d8a1140b8010c39eac44eef26dec91ac19925fd56fa78bb6a062c8665ec747b0754ee70345bd61eb804

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
f2476a2dd4f7d015473868e5a48f0943

SHA1
7aa0608f21da08729403264c7067bd58962205a6

SHA256
d409e1999782703c2587cfa010e627ac1497857a757c6c3124deea32ba49dc09

SHA512
a5f1e92726230fcbe759754cc0e30f34d19da1b18815a01cd30b792e04361ef25bbf53011cd358bb98f6fb0f80a349b6a2f1b775d69c474e1699b45abe481dce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
d65509c04a0d5c425b4cfa172c6f515e

SHA1
45f14de1f78637b36a7253a8ef2333f040266f02

SHA256
720ef543de411b75b1e965e7ebcfd08f3ce4a2c6620137bf39946326ab3b9b1f

SHA512
94835a80b05295e958e28cd6949d1ebc372634393f6a3316604a939b9569294039bc9086cdb2abae2ea50257379ebfb32c80bfc15a7b6acd73e2661798c4d6a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
79335c74cc28ee48fd9dc5b226f67f9d

SHA1
a6eeb6edba2db6ebf2cd373cdbe424c6e9e030db

SHA256
b66423d718137820bb5af58661d9ee4e4dc0359bc8217c263aded296c54dc819

SHA512
e0eb7a954a50342c4c6bf39e0511cfabc74bdf129e2f38783200451ec9631ec62cc589dd041613b2d7f36547490ce9d9495a0c70b78eb835c3dd4b4a70ae9071

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
bf52cc6f20a4e0bb8c9dae53e7629b83

SHA1
4979abd9e0e060cf368de310585d231ee8275431

SHA256
898d6ecb8aac038620e40007d9672eb2997cb3725badc733b553ee6c130ba8be

SHA512
2dd0c5e6d6d7edd58dc7bc6dd1f2a3d6f264426f9f530a109fa9faef5844d90c20c8e710da9d861f109b9c944e90aed38e5b049ad5ce410dcc4b1b6703125068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
65b130e2ef4772ccda326ff3459ced0a

SHA1
baab0d204c68c336e7a01043d242dc9669d8202c

SHA256
96189f9bda01a2d5b27e3c4766ac972478ccd16792b7b40f3cf7547150c14dbe

SHA512
d5c567d35f17992c50dadcb7d4cbebd06c1114a7c9043914f178e7ff051f2477f899714049f29207294fc8576df1f16271be01d424cb470146601b7661692470

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e700f18f98e4fbac07a9d0327b76b30a

SHA1
c44270c63eb13630d0d4229aaa2c31091d993ec2

SHA256
f8dbb6b91314d2fa0b8c32906dfd83b45a6575ba1d65beab77f2907eec90630e

SHA512
47ca8f3df2c2ef74a698339045f5dcc495e006e84d331f91ca49a39a736873fcfc02a96a9ae0ab6a17c5ccc24927c196bf9c3e1e279541c0fbeda67b0ed18460

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0990fc102a493d78a149782af6aebe75

SHA1
4f16671d16bffc23d12b65a01e57db83bf08c999

SHA256
67e81e6eed58d1d46422f2d65dfba45b099a40a2bb6c8661958fb700710098c8

SHA512
40950ed26039161e99858a2d484c0364c1a658eb970b200735199877ef056e67ce235429c5aae00b223ced9bf36f8697dafb4aafa3ef09c4043e7e33b86d0f90

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
81996963ce67154176ce2420b53f4ac0

SHA1
77441d5b7ef06355ae6b9a70fdb25319947566b4

SHA256
989d90407ab23445ffacd5d698ade2d34e3b0cdd0b3d76898ccdf0f0f57ee0de

SHA512
34ded14a2f2894d15a0a633995b6e5a6af1d3ef9081ad7ce7cb743835518504852663eef5f69baf95d3a1bcf0a5ed1d096dd05e69de3feff18d50e2d27d0971b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
92888384cedbf4f1d81b815fda93f24f

SHA1
3599483a144e8fb5dbf056bafbffb0c4c49e399f

SHA256
db717af58d2402b8c07d158c24d86b946d6915120d33f7094ea6c66387005fc3

SHA512
d20b38eb38492df40d6a158206c056dd1065f7b6588a8c9465e16061b649bd60e5025952ae62aa843deadac275b8f2105dfba46874ef0e0a37ad204f4db5d62d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b5f5d3df69ae84f5a88dd40b73a3093b

SHA1
1969d7c2b85a8d628277be551229f26749fd4d91

SHA256
e76c7dd0f765bd066ffc08862197c301e6804c457b42153b520230f6ca3cd4ab

SHA512
fb44d847195bba183f8919966dc25029658ae996fd9542674a5e82e7545f95ea886185e3e43667a3360c308a07da29af161073f41d8299f90e5d28ac75abc17e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
cbebfc4633126ef695997e32151425d5

SHA1
b309ecf2385a4c6c1ca5d1edc3e4182fa098b0a5

SHA256
5688a37f5e20f3621eb303a27945b23aada4528b3b04074cda0a111a31e8d04d

SHA512
64b9952eb7a7a19a34ac6383741747dc9a064a607d7078c792f3703e35e7482eb0bfdf45bfb3bd48db9e946a76ad47a37e999b3fc8921f6d7b0c6cd08ab7047a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
875a56c61448c5d0fdbbd7195e320460

SHA1
c811aebee63d387ab0da7ecbb50337a331c6a0c8

SHA256
3e0e7a0f2786981c733d43620db41dbf7a2bb796d0a019132148121a04cdc3a7

SHA512
b656dabfdaf1692bf2741e0bd685984074b20d3947ec23adf5f52074dec5e1c655527e782f4d11d0094d4c8fe74fff0ac9cc755b76e679eb00620dd159d7badc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9f02f6f124470c04295f57ad46e41131

SHA1
93df3ec4bc27aed56e75952ee8862783ab222a2c

SHA256
34666358a73183623e92a23e4bd80e461492ef2c26cdc7b9a7d8c54f3800671a

SHA512
e5ac212d9b94ba1e4d8f8bce69c42e569cbcc10195d3430362d400d73a42a2edb712ba5afbdd6a0c6646f607b3ffa5a21407a9241fe3c9c1661e2f4e77f6c8a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4ac81a723ca05ac761ac9a72a0e6a1fd

SHA1
b8d7b980147bb6565d0fcb5215fc5a7c0d4fd2d0

SHA256
f1a40c107768d5a750f320b54655d5456c458161e29949ca92efa615188b7361

SHA512
85a8b029b51c41ad61ebab1bf927725b3fe5d19c7d686b225ba04795719e399e5379e2f1696151f35ae42f3d163c8b3c2a53ca591b8cda3dc52ec2ea5332541a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
d4b671fe65e923e4cf1f720b1883488a

SHA1
eed5c19ef4fa1425115b2af561152c6c49a0ed21

SHA256
38e730a4f0d0e17383d589e79817be8a913b06caf6ab04ab2ad12b8dbf04187f

SHA512
bb6a2b9075e5dcd40f922f1de259e7b184ab05bdcd9555fe27ba6d6df9c3426d8d599407bd39e9a534f73f3ea6569e13fdb0d256695fbb9fe2384cab4964e78f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
6b46901c39ecdf4c14e2f1793816d6ca

SHA1
cb222efe2dcc9b5c8aa4a98cdf23addebf4e792b

SHA256
ffbc76e841366590cd1ea72cf7cf2b5048bc4e71a7202b83c5a15240d4709d4d

SHA512
6fc4d195bee97e9bde3fa1f65fae5e073d1e547b49f5927d5e67be702bd90d72e08f7264f4a8c239770be621fe9f450d342ada6f666ca51501633f93ab39347c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
b564e8ccce848fb7bedd87bd47486019

SHA1
1d612648c30d8743a868be55c53b8b190c7bdad2

SHA256
5a7acb046f0065d00364ba80be7102ef7c8a64a3fc803d549b6adf8130d3641b

SHA512
87c4eda61349b5fa73e95b940e1ed0797792f3d4d935c2f9852e57ff7b29c5a4ef698b2eafbb62b27c47dcacbb695f7fd88701cc03a3bff2d317edde75c578e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
02f9c3aa4deec195c4e36458e3c93b0c

SHA1
44515dcc16536136ab4136a9541356536da1010b

SHA256
06361c9ecc084145a1f975e940fed476b0fb4f605a9c0c93b957a04314855d48

SHA512
89a84f73d07216d825fd6a2492b4d969ae699b751a14dfd486049603a4d6660922c840aa767ec91dff2f9acf61d67ca57e2211b324acf6656e1fed4688248632

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
dce010fb8351f818f7782914bc13f6e2

SHA1
dcdfb9009e1dde06a9411fd3c3d27d9ba104a7e8

SHA256
7decf12cd95c87e09586023a6f05d1b0e3da4e048db384d1d4193ce01fde74c4

SHA512
aa18a7c54833f081111519d8dd2da7ba693b1161cf6a03ee74bdd0b83ef8d6c475aca82ed30b5c6c7979d557144e33b07cc3cc3a3c137d305c1e8fa36fdfadc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
f26b88a5aacb5251ba5cf066d326acc1

SHA1
dd095508e712555f7b43f2abcded4c94ca5ad4bb

SHA256
341fdcb5e23170ec49d413fa880d757b642b3a11bce36c677354702846e37398

SHA512
0ceea8d6860acb88ad1449d7576505a331c347dcc9ce6816b4038a3670257438d6edb094c888cfefa6b0f665fb2c676775797f474f52f78e4e291da76c2b67d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
23e17bd8db936eb8dafdb052eaf90d8f

SHA1
352e15242d31f492bc3b1b5451ac71f29c66413c

SHA256
dadf20efe9999368c7a850c38506bbf34917cd9a711d32e8b946ef38e4ecc42a

SHA512
f49f4252935b9519dba92a5f2d4a6d476de462b435473c730337e3f9de5c237608f4da2bf28095e0b4dc072083acf04ffc7d4457a3257f73512da771c4189b5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
7bb7f3974ec6361c3ca3f5054785c55a

SHA1
6aaf90885b3144f0c039617f0253a1d913349ca1

SHA256
d995bab0875bf55e58ef1df4685a45d2abba671170e3a0d5d329c602a2262e57

SHA512
8c34124010cdec17180705628c6a88ca7adb51a50620159e7d94f354226d04a7002710eab5517f3f65ea150f271d36bb81becd03efc0376be6d8079b6768d400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
fbc3bae9f7a612cdad985cc2d53155b7

SHA1
e78d6f60b5a3825a9b9678502a738f440adc7b2e

SHA256
ad2d42bb5715adc931262e4a2ecc7e5b8a4ee53becd8ab8a140ee187cb794b7c

SHA512
5b4c4b822150c4f07caea92bef89721e510ca86b962d3c9814bc63d0b01173810d601d302fd8248648806c60ea9a4559557ee3fb81bb73bb1f1d6a2b8d8cd7c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
2105bced4e4e2329daef253e2d1a3a43

SHA1
91bba9136141107460287cebd33c00a83f673242

SHA256
2cd2b3772d5c5f07fdbfdfd52a1fcdc6c4045b0905cfa2bbf83337f6a66981f0

SHA512
e09cb1334efe45b1c754be58db6cb4c69efda009e641b3dba5d0fda46be32b8a2d1836c7de9e4903906b5071f0bd342e0d128265ea0fc5a75fadfbd0d7a23657

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
8d53ec65ec6d18257b8ca608afbc04f1

SHA1
d8711d7a103594ff9530e033b762bbb225c589e5

SHA256
29e9ee2d5dfb2325e5ffa4b068fb7a90dfe30bb1673483650fb71a438a52aa73

SHA512
6f7450c59219410b8eb73faa9a3cc15b1e777c12dfe15d1ff3697c8c2773ec24350c2c714adc7532355e339ea992629c9b7f5de2af9fbc3638f706c512f5f9b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
4747b9b90f425afa8507bd66085f23c6

SHA1
ef1b6ddd8b7c46592bf56dad8d1194fa8c757438

SHA256
7c5cc097c721edecb3f136a08759e05e84865ae1e83224b88ac44b121ec3e31c

SHA512
b386f923ef6d64fe15ad06b5a335bc8f03dd6269c0f15d5828e221a92e5b0572367d099f3f9fce0e27319bb1a6a4b4daf19524281383f57f0c46b0f0dec78a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
d0fa6a3e4209b24bcb4bf19d495022c3

SHA1
edbbb7ae554fd53b5c5517289df99ed85b327708

SHA256
7fd7186fa630498cda1452d0df89c620e87eb71bb76a839bf1a58ad89a65afae

SHA512
60a1209ae5338ab8e69d94a9322ad14b78d0baac2d0f7d12cdd558b8313a9601abacb7079cd7fe0e7dd43a4b79d3d85c0184f50025cc2440d7a9adcc3c1c2277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
9a1a0d8d1463ff2be7ad732959a31c68

SHA1
548a302900a38427981bd707238b57e3b56c8b06

SHA256
beaa9d7811a42b63454f5f4f552ab98858b53aceb1482ff860c1a0480fb9d7b4

SHA512
e1420bc08340e6616686fdf881c28976631570f00c5bf2d589bf5b917ed0a8ecd710d3f21a7ca87a0537d595a3967161bd0216afc2393c2843b2805ee268fb92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
507f622538babbd69e5a32f9b30703ba

SHA1
5d41eabf3ba983a485a6598f08695659f88b1168

SHA256
e1eb0430bd10d000cebbaaa18eb4f4492df5b280930facf216f48b1d272879f7

SHA512
f2e323da4681046c1b9f212f4893c131bc84d5aa11b841cd2fa12a1b8f2474e5ff046c3fa6faa1e1fa55f8649d6c2185085c5a09966138679385ad12ffcf1ba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
42476c322bc3f2a853744aef8a817ae3

SHA1
7935c4a9653adeba0098e3ce6f8ac967048860f6

SHA256
ae3c0b818aa017008f25690b867bb972636c9279a163a37a389172de257ed05d

SHA512
0c22b3ed3e078b28e09452b892b317797b4e085add210ab9fee01d92fa2c473f9c9d2e6798d781a3b6dd8e1025bbb5f2509f4e0bf33868a9e6ccdb91fc4637c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
e8ff3df254b1086fca3a3b4274b369bd

SHA1
bcd39c6cbe578d0de2069973ab8e12558203a952

SHA256
94aeddec46ec31f11242e0c54be0d79931d37274b8afead43f35dfe14bf2fe6d

SHA512
10454ae8dbc527018d5deac9efe009d5fae2396d2846e3fed9217917fb4c860bed6d5a7abbb5fc4085c1532981a8fe83652b334a4b3bd68a7e0cf900b4db8414

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
86a7f6d3151a425dc200cc07d2167b7f

SHA1
5cfdd888aa5c4c43dec4ebc6d51ef50015a99545

SHA256
6f91e1c04ba62daf6c47b4ebd343b67e91c0a2b85218dcab5d9d7f0a8596a825

SHA512
0b5241dd59f945d6fd16edb6862b364f12e29a5b4fddf378d9d613b2ca030e94341daed69d5ba8a5e2cb8759b9a27d307d840e0de36a770c6b6f806e183a3816

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
1ef7ce9a1ce0b4f609ab6110ec97c841

SHA1
14cec63c3b9662dabc926c9244d445b0b35f7b72

SHA256
d8c8033f929bc3c4270a5d4a668542371f310d204d84587b6a0edcfe96c967cd

SHA512
f5b62aed558897143870f7c51dedd00a33991ad7ee0a92a6d38f0bbcadb90aa4d08727a4342b3618f4668e3bd0f7069e1cd821a4295e5c767cba92f14ed81de6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
f425b871d7f9db2f34abc900283bf3b5

SHA1
2afb093f29a12361ce6d68691806f61b979b2f35

SHA256
46cfed6270a55a6dc519ce3aa9471cfe6dc4ad2172bf7fcb1c4b6cfba4629b80

SHA512
630ee805a729c1aa3fd591fa64bf94a953fd12593dbaeabc03f23a4ed275843c48de3ad29e1495cc1434b2b4aa7fe351b939cf7fd74c46db4729877075810572

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
78e02564ba8fe36cab42b8774addfebd

SHA1
4d356562e6744457ea90c7f825736e2097aef112

SHA256
18b5abe9a18ddd22c6b5c6ae28091a30211cd2bd91277ea302eb81241a9e913e

SHA512
c010668c22bd940c5e30be5f654c4476da11a9c38930e0b227c6497e7a9c625fe2aeb649fbae42b51d0ebe0a95d08354df1add7621be5bdb98fec88b0616e652

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
d1966f8e9d128239cc5139fc26cc8b94

SHA1
b854b00ee195792825d6557a2a548e37a8bb75d4

SHA256
ffaa2b509566dd7bb984168c12eadb2261abff545024010087bf05621c8d8dc3

SHA512
72a51f685d81ff938bd0e89790bcc5457188fb097f9f0b64eb5f419c06c91f3c5c867816831728586b7bcc7c80eb0a39f3d52f9e44e74efe2eb595c4ed522634

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b73682ae9bc6e78be33f3ba86031fe51

SHA1
0015b6863b99ddb554628ed7ca3194e6bf5114d7

SHA256
7c272590e633ed1411b901d4ece08980724ca555890f31db00ed572c844b712b

SHA512
31c0f267466fef3f122e3b4ad9b069bca5e014c73fce575eb952789f4099d1cdfd3e85e8478f78aae9112c2480fff95d09ade67b50b9b5062382612f65b984f9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
9d46c831f58f4e3a79369621c38c1e64

SHA1
037806ba6573cc386235f081e61fe899f52f314f

SHA256
cd3af4c9210217133f5abc0c226192a28cfb3065f3c9361e83b34f6873d16b3c

SHA512
53fb2b6714a4efd49514a290cb8e74c8ef0a4a619c4392849fc0a24db9b057629a5ea48b1cbaa43db83e3be8020894e6c48728670c776727cbc0db05729ba97d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
d828c80bd888288b9e282abfc68f2c4c

SHA1
b9b9162181f84afb0a22482bf7ec6dccae52543b

SHA256
8b717f0b427f4ec033611d035b2a50d0832899447b699fe36d24eeb785233663

SHA512
e64c03399b7d4236d4d5ccdd295040160daa0ffbc3a3a529c65d01c9eb901d020a480ed0208c6dd81b8bca261f2884d0077db13d845014f0aa2b7883faf1e34e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
737de8c96d78848798201591a08c0a59

SHA1
b29b58b524fc7621239f5a5d48ae9c6cd75f0e03

SHA256
7d0fc4b53537a4ef07e189242b7e70e73ef5722d0170cc79e0f5dbc61bff6082

SHA512
01166245dbec31f9469f65e8fe877f735f69c54dc8c8511afd5ca18c3852d2b896ed9f18cc059e717c84fd8a1301e7430ff5679c776e3e86469e58dabef66b49

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
aaa7c4b089c051711bbeff9c67d34f1c

SHA1
7e91b0c120e2ecdefe6d4c4bdc0c3664d26ac28f

SHA256
4ac836a1f61474a6a600cea3f62a21ba6f60b1af29ca00a3c0631d08eb114702

SHA512
68aa062c62012847e34be2d4c190c1793c1a9142f26c4414534eb70f69eb9a6b3aebc990e707b570c0b808e2e75be46e976f26a44b41fef7706ddb8e9dcb0f3b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a747d6e46d59847a5e90aa6a0c2e7822

SHA1
bdc8c2fafa134b7777fd1fd9164b788074f56e13

SHA256
92f6a92aa0f97fa6683fe5b03dac0657b41b8a73f4281810e4a46da3bf75a1fe

SHA512
d33ffaafb15b1b42dca98257e036ed7d2a3e2ab73f3419691a56195e9efbaac5bdc73df3fd08c6c66073816912ae9b92ec57275ee7eabc4bcfe4122734a63375

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d31a9827f620003650494910b93a44dd

SHA1
93889e884ce5c789479669e861b5ee3d00984c3a

SHA256
fada64ea4f1c314475e26dd067fa515977cf065999041a95d998290a67287c76

SHA512
3f88a9e0a6bbecafb8456478fa4eb90a915280e8696be1da66245a9485def4a7823ce6f5e2f262716a4e0f6aaa2a1e6240695c385dbeb5541d71858508f464f0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
bb46e21dd7604fa06fa8bbdb3b8f3ba5

SHA1
d61cdc4bf02469bcdd7aead61af2618724a72269

SHA256
cdeb0dc7edc2cce173c4a8fed19091cf1829dd8ac9e5adfcda3f7c136714e5f0

SHA512
d889e03a4146cf59b9b670f730a73c9489f7973e350c89af6f48c930a9a5308aa5af5c46fa0640a61cba8c8c0a5e9d7b77b217e004a7ca981dc464288246e628

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
22b63c61f98d6573a5c2f2a88891bb4e

SHA1
eaffc7a8cb0bdf0d74c0754995b8e4d812529dea

SHA256
e8b4ab3330e3f2ee1078a413911f97259b5eec68b6184d71f816dcb09d2ec6de

SHA512
9a278b44898c6ecb80c07b26616340ed29108cee0ded101ebdc97c5e2a5842b073acddf023f84d9a02402a3f67790bd916f280e9a0726e74ef39cb4b723cc9af

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
023508a3f435bfb12516e7f43809d8af

SHA1
95720a598acbdd88121994d4b62ed233ae9264ad

SHA256
2444fd221658c9e71ea19c3722a103fbea8a44342b5b69100bf1f11c99faf41e

SHA512
84e4f46a318635b65dd5771f7c5543980fdd148fed70aaa49c96363f0c5ad7ed96dd2dcba8bdc02aab9dd863c8911a86f86f82764e6d00fb9906fcc98293d441

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
af5c2dee60a594c150acb47e0957a529

SHA1
2b000617fba6faa0c6231af7c947800166d0ca8e

SHA256
0e1868784a9d5acea304b650a1deb652df9de3a51b0d64e000a6187f3cea31c0

SHA512
3d2500f312ff8f480f9e62c4d73c62e13305320ac71b7bb7d61c1fccb365cec504709d822e0cf2a131a2075ce139687f6bb57007536f9988aac0af92cd9075d8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
4e92a0c34e69943ac8b2b049694fc471

SHA1
9f2d847432de432a34c1f228179ffaf4a6074e8a

SHA256
78b9956e2aef4b61edd42640b2ae842b1347f1c02fadda2f69f1a037c401979e

SHA512
462e0258d637b8ce04781ddc86d452963ee2e2560561a16a738988bfb5501ef158345b547f35627c54eabedb0b3e6ea7bb48cb0b1bf06bfeb05692e8a289c3c3

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f9d7ef3c04767cc8cdd7cf3bbc62d595

SHA1
a695793c4f474d6e8ac1fc2bedb55b18b48b4ff7

SHA256
4f64869479f1b5d3692d741b98bb601a6af9f4b8152b6dcc5ce8e7c9ffae5eda

SHA512
bc5645bcb45ef626248646980c5c23f2e56c3000d42534546a20f971407e292a48d0fffaca82fe4fdefbfde2a5f6a897f2689d8d7e54c41528b2a0bd42d65fc7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
7342e704e113fb0efd63c740c55c58f9

SHA1
c1e8f71831af60e5ad031bc81542f00ae6d33060

SHA256
3e49ff771eb19896dcfd5c1fb3cd9b3ac4282d3f071ad97a86022bed767ae569

SHA512
b00ca7831385ce745de06ac40332b15d0b9ac4411f5772459d23a2a0f042204cad54bbedc0ab4ad8a20e5b796c2863ac0721f56d857af391b353536798a351b7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ae0f75544d666f892a775671cd2a087c

SHA1
67e63b9600f4f35a7b056a7c71d47449539e667a

SHA256
0410be28814a801401c383a2d88b4fac74d2cc3e8ebcddf86a241e5dae6e8b8d

SHA512
64b531c2e739d8148e85fda4b50fade73b5dabd367ef266791d4a0b82f659bbca1868ac331d212534e790fa1ee174c7e64423adbf20f1d9481401b84707f1e26

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0d7c8c1772ad96ccb2967cf420ac1b77

SHA1
b357dee680df63eee060f0d7f39fb541ffd49876

SHA256
f16372e10eb9f3a90237fae2d2c9a13ebe5f4b561a69ff613fe15d5796a01566

SHA512
0372a8f9c29459939651e1e69da0f9284d576a4fc8215add6d30b9d1e79f8fa1aebb61228b936ab78df4d48cbaabb92b79fcbe82cd5c167aef114cce9d947f9c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
5209b51e17fcd28da90e9328b2cc8965

SHA1
9184d65ed75c0755dfb237052542ad5540bdab32

SHA256
551fed5252c06eb0c76aa1c4be167f0dc39ce670734a0c31b6020c8df77677c4

SHA512
97bac56c0ca40517353ac43e5b2ff862deb347ed8e7f8429e0a5d18eb47db01776b76c8ab6c738a1cb97db83c6d430a832acb93fc2c90460e7ed2459f5ab562b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
dc57c05a96917a3640e6adef10b7711f

SHA1
5cdea72388db1bcb898cfd6478c0f32587dfb47c

SHA256
c4f49965ab725378816b7501deda9ba19e2f68e7ef32fe493dae2a2e658c00d8

SHA512
1ce8f94486c7e6046600363c97f382119fea72f370b7799565b6c7fd7f4ab1d29933c185d8da60924e3d271d0d85af5f3bf624b7f9553c2797ca489c007cd35f

Download Submit
memory/60-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/60-511-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/396-228-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/396-123-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/412-187-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/452-518-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/452-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/692-259-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/692-521-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1152-139-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1152-240-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1172-88-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1172-227-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1172-92-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1476-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1476-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1476-125-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1476-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1512-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1512-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2132-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2344-506-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2344-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2992-510-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2992-196-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2996-82-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2996-2-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2996-7-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/2996-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3208-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-59-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3572-53-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3572-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3572-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3636-464-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3636-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3760-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3760-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3808-80-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3808-74-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3808-91-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3808-89-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3808-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4372-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4372-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4380-141-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4480-512-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4480-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4976-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4976-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4976-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4976-87-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5028-38-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/5028-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5028-46-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/5028-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5028-47-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download