0939a8bf63ea69860f9d3d65053af478e8bdde29c302641fb17afcdfc576bc42

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Size

1.8MB
MD5

2c1b7b9a5d18b30cec997f920ed816e1
SHA1

992fb486d6612c9d5dec991da972a7d26c5b5337
SHA256

0939a8bf63ea69860f9d3d65053af478e8bdde29c302641fb17afcdfc576bc42
SHA512

4b5ab70c638e091ec9e8cdcfcf4f7be772a4ed491f2baff4ecc2f296f6024632688b92a04bd953cb2b679300012149e20a9fff5dc3c61a8b19db12241a561688
SSDEEP

49152:rE19+ApwXk1QE1RzsEQPaxHNYkQ/qoLEw:M93wXmoKQqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2368	alg.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
436	fxssvc.exe
4872	elevation_service.exe
1008	elevation_service.exe
3508	maintenanceservice.exe
1676	msdtc.exe
2480	OSE.EXE
4108	PerceptionSimulationService.exe
2276	perfhost.exe
3236	locator.exe
844	SensorDataService.exe
3720	snmptrap.exe
220	spectrum.exe
4588	ssh-agent.exe
2404	TieringEngineService.exe
4692	AgentService.exe
756	vds.exe
1800	vssvc.exe
704	wbengine.exe
5112	WmiApSrv.exe
3352	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a41aba41ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028b9c2c88aabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b62935c98aabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d0e55c88aabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086159bc78aabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1ce97c88aabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b838ffc78aabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036957dc88aabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe

pid	process
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeAuditPrivilege	436	fxssvc.exe
Token: SeRestorePrivilege	2404	TieringEngineService.exe
Token: SeManageVolumePrivilege	2404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4692	AgentService.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeBackupPrivilege	704	wbengine.exe
Token: SeRestorePrivilege	704	wbengine.exe
Token: SeSecurityPrivilege	704	wbengine.exe
Token: 33	3352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3352	SearchIndexer.exe
Token: SeDebugPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeDebugPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeDebugPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeDebugPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeDebugPrivilege	4816	2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3352 wrote to memory of 1868	3352	SearchIndexer.exe	SearchProtocolHost.exe
PID 3352 wrote to memory of 1868	3352	SearchIndexer.exe	SearchProtocolHost.exe
PID 3352 wrote to memory of 5016	3352	SearchIndexer.exe	SearchFilterHost.exe
PID 3352 wrote to memory of 5016	3352	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2c1b7b9a5d18b30cec997f920ed816e1_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1868

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
658c34481b00c7e1b260c4186bc8d1d1

SHA1
654343d54bb3917c4a43c7d7fbe5866062043ef2

SHA256
306bfef80eba1c034badfb3c6036ace5e9f1df827157de8808c007ae7c2c2dc5

SHA512
e9aae63f8c513d2c4e507648f93341641ec81583776e224cb4787044790acd7bd3ab5d16345feb40bb0affb015046b27c9229e6a4b7ed3fdcd32edd66577dc53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1b3e78768b7bac1a65f1a1c4fe38fe39

SHA1
0b5b2cec7826a6e1e265e5ce3e2209c4e2392484

SHA256
5761a7571c17f68b834f7d7fe41a9879a585b817e9852d459c62e0d7380d35bb

SHA512
a014aec9961d329201b2bfeae6e7a6c07989900f0e17ff489029f9567fea2b5d16670032372383bf05acdc58b9ad6a66c57d8edb68c1497245704598e4b41ab8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7dcffa45139aaea2c24e2b30e0b0e250

SHA1
f14eebfa1e441aaa8cbdf5158e03cb1e9be52a5e

SHA256
ce3e987fa40bc74a6b8390f5d0adb68c59b56e587204fa63fad84ed45e8e7234

SHA512
1b8120ccb36273fd07c21a5c22d5dd7c5803fedf90f9af80895f87b99919a216c018f92b50a2e371f693b7176dda1918ccddd6a7d5c65bbb91593cd4396ac71d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f8c2f231da554937f707cc0adfe2973c

SHA1
2785149548adf3ed5b5ceafcf056771651ed67fa

SHA256
f95f32d9f739b5d54a21ef58ca56bd6098e8d63010d766c8896d6088f2b94402

SHA512
770eab9e829e21a7ccf05aea8d17e0d5fc0cd583d2f9b780f85a5e2001b5e11bdbf866ea8dd161dbed8ef2eb6767152e1ea453d4e2199f8aab3a6da3d2424406

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3519136490b3db948c3448d8956462ff

SHA1
b8eb6e14b6ab21f9416e743bdcdf05229228894b

SHA256
6460cc9f8b04b04c7664d1fd99b87ae29cf992f33564bfe0b31de1f57253ca52

SHA512
a6a36fef70bc0a28975f7af6929486cf9007bb7be118b95d10d14686c4e70c3f982b79b185943e6e11452bd3b5e0ba031caf80ac77077d4df3fb76fa223d268b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c7f7f0e834aceef2ca97cba9576be3c1

SHA1
75bfc3ae3fba45ff611823eee10dbb8741bed06d

SHA256
5e3d0c0a54965abbc261ad8e3f7f92cfbfd12875347150f70a2fda44476e6174

SHA512
4bf4dc96273fd812da1c8bd36233ead4e53e9eb0207985e863bc15465e805e0559d13d102510cb656a476eba3561060571eaedb7654abc1e53d9a561dbaa9439

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
35f2e537f7d6c2f519725475226ae331

SHA1
7b8e65f7731acfe098344e7f5b4c9cd0959e56df

SHA256
4601998ef4fec05e2dc20aa16cd4108a4cdb56c252cd3f57a5961bf10ff6b1ac

SHA512
9dc5f543fe3de0525484983fb18694832b2103ab105e8544327a6f46016c8c3f7e88c8dce295d5df74a0ffb440fa42e83bc4524852baa2aae9d45172f6b40d52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bf76ab6baf8018d90dbc2f7327ef897b

SHA1
8bb7ba40c446cc8b35cc00077444f28e19133ef9

SHA256
e78bb7a5a6159172ff7cdcab3c0ba0d4e01cac481e084236fd2eda3867581a4f

SHA512
475175b3bdfeddf270ab299c43f09f6cf797c8399e3dc4815a8724efa896fe312effbd356a3a6ba9ac9466db049bb94cb488621200b60566db6e526fa693e0e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c8f157b173b80be1b27564718d7b242b

SHA1
4edbfd41e52a21b875ce90d7951b6da0cde0ef43

SHA256
4dbbe8d76c5ec865ee9807b526b66390f4b28b9fc7af0b0cbb2c10e0b50e09b2

SHA512
5cb8f1c514ae5450bd2b530ca04305a6d17a36db5938985297d80e09b2bfe0668999289bfbc99cc9d4a324d3a49e5742fa1361f9ad22f47bf8faaa7d5f7e351f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c9483170620480d81ee19b0a19520847

SHA1
d21a2208ad76f4d0e13fbf0520f664b9a17a46dd

SHA256
32bf2668fb23ea50ce2e27f81d3ead47b0a015ace828d05d986b0d8589e2cab6

SHA512
7d6eb325e5e62f737c673045850d66abe03f3fc274f16a83563b91f2d0be4e94a7b1311a1e70158599e2b3f5ba5f74b014cb5e392e5ecba7cf44f06242f82c12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d413b9aabac6d251d3d18d5e905cc8ec

SHA1
0eb5b1c96c824181856697ebf6bde61f2a0a8706

SHA256
81b849a1b727af6fa1de1b431b0f160465140c588fc71a37de76103190c63a85

SHA512
e4e31eea333c8695f9bbe62541e077121ac075da038ff6b8d5805927107b28a7e3dc81221681629cd90f7f4bff49515b3f6fcd0b767a055d72460217084a11c0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
60e72adc5f8ea40af7aace3cf811999f

SHA1
60fbe258fd344c894ce61429d1f24fee120bad79

SHA256
9b32438e57355a687c0ff06907cee33380f94d95dba0d735a586fe3b93fdbf27

SHA512
518b356dd75f2bb941d622f3cb8a9dbfef9a1afce583cfe95e32324a1b5e0f0cb2b44e16aa045580f34e4f41e7c524a8507d0ba85f2804b55848c4da6bc84657

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c4d9bedcf60ab4da8d19db2c50a458f4

SHA1
0cbb1ebf867fe6b6ccb6c13ef9ab6fb74bf45bf2

SHA256
ae36e55d3a881cccfb3ebfafcc536e9fb75b3b5fa7f1c2e936a7a2e5c2b26b6f

SHA512
5f75b428deba72aa5886ef9de7eaea9134a6370462c9425a82ee7f61e9f7c68e2aaa25b1f5c3ee4e3a139f1c928ba34942c1f65d38043cfc79394cf272d1ee79

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4cd6feffae0f4ac3b8f76db866ed1ce3

SHA1
f0d12be892c238befc42a1a04b4b5fb99a77de85

SHA256
bd8b83c555a7d20bf6e2deac4fe1365af993b51d04dca12f51b33c6963b942a1

SHA512
24bffdc5c3bb6b6d844ff1e6e520d259076ff8923a14c594d28f1557cb8ee3eb4ad10c006eda2f0cf8d12dc12793e92548161c98ba021ce12fd028d1fba30eef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f5dff1c71cb3d4e21ab631640940cf1c

SHA1
0385f3b45bc421cbcfa7bd1eb4a8118c8c8db61f

SHA256
804774001a70101b1ef2d434b5734aae9428ae73782891dffcd0a8311be22b53

SHA512
16dd1ef99bda534e4c263760c91a2db959e621fa192f48aa75096becd6fae8e00f707f24e9b5ece61b1b65b716dd3f66df5a7a26e7cf4f77269efe874a0f9d9a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1017292a67472a32b685d5654f3112a5

SHA1
a3a5422c909bd25c0e9f9286ef3ad4b0c068c963

SHA256
86a6edcc48564952ef9ef533877fe801e06444230812ed717257e776759c3864

SHA512
9a639289bccec93aba3d895b7f0640abd887aa6425fc468167dfb3c144485714408a704019f23e96a1e5ae1fd57dd5eaa9a15989eb3a979da96c9e8927734af3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d947252a1c2038bed35c32cc3d3862ac

SHA1
3f9ea22b71defcb3f6e15ae6a9a91d627c1da776

SHA256
5bba02fd927f61aa2f58452a397ba1eb3a564a3b3a15ae53b4b0a8ae2269b948

SHA512
3726f8dad08eecc8e6d9ee8c84bcca21459258f2a4694cc9ef6ff20e11410ed30ef724cfdbd5647c2fecb60539c4978960f79b8d4eb9dcbe2350377cd195d92a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a9479384d8da2cf7a880b07539a8ef70

SHA1
c2a83a43104deeccabd70783bbf22a7e74536395

SHA256
a0cce667d062b6fdaf4dbdc48010ae51858e57859b62c179f2f372b1c6ccbe53

SHA512
56f1ba491025fb13ebd0e98bffe915a6a33d3b6293e13c4a9bd55282367334182f2e16b1bbc594083160949de2de7a8f8726eb3d833b544abcfb3bdc7a0972ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a836e5c3172bafd3e2f0df5b29fc50eb

SHA1
862b3de7f7603fa03173dcd4db9a5174292f8ef8

SHA256
40e027e4a5167f1874c99a953b6bcd5872fee2fb1f66a7aae85bba4bda35d9df

SHA512
f2f56083f7781709ce5647a5a5a23f33f707beecbd0cf789d235358373922b0bbd7a15a8a71b37fab7d52b01c8e203129ca6f6adaa3dd464b3c9e8a1f44705e0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8928aafb993d30fe9587ba7d134257a0

SHA1
ff3f018699d97fbaa609aa59c9ed9a5cea92abed

SHA256
ff15c90ffd2d84726e6199b833c2e90f47d5434b661e6fab7fc10f4af0cd9d22

SHA512
3ef70fd366176beac1f7c65d5bf8d4627e95bf732c4b4ce0cd218ad4ee3aaacfe273134548572a0f9adc6b116491918a2553aa0a98e7fe3ebabeb0574de1fd70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
39829822c0104e318b1397f76b618ced

SHA1
0bb237fd97c418844b38d3262b6ac6fbaace1d4f

SHA256
494b5493dea3bc4d8ebe318b076239d1ec0a3c67894a92c124fae3d08797fafe

SHA512
d4c50cacbd52023c90cae3dd765c71c8b53921890309ce34c149d6649c13f32dfcd7ea58a831145fbba68865f7bc7234f7cc0e6c8ba033fbd82a96f9aac53e05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8c6451922ce078bca3d5a110f2384790

SHA1
40ea2bc3a6339ed6401f219d233609ef4f9f7cdc

SHA256
3c32703456533f76c3b7a4c5b90b533f633ade45cd88c3fa9d63c9eff655a463

SHA512
7a4994ef7da98f44b76f1217bca6d6fdb7724bf52a09cef5892c6c68c41c8ed76680dc117354bc69d4a8ffb58c20d5cd0a62a73e653e5e36a0b37e777b4c7fdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
18f0b67d31adde59b3e26123491a9003

SHA1
d3daea19cb49d4c6d9c39c0f03287e935a4b5a76

SHA256
ac31c75970cf1bf650b49c255a37db73adfe6c0dba524c184d298d6ab880e645

SHA512
f06a336f2b661f42dc94e9893a61d314c6ee80e120667640321e26d294fc4240bc2159ddb1f0374589cd5585ca3166e493343122c388c67240b42e23d5d06bb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ae4561c56172920b74fa167df711f782

SHA1
fd584408e626522b4226a771f8fdcf8127d7e49f

SHA256
dd9daf2dc38a091f7a004f566316fb357fa84dabbeeeae8d843ce6a4ca369d06

SHA512
98c2a9ee179f21b1c7e64c95f5e491a9ef5f05502a8ccea81990925aa43f79a1134bfb6748a974b462510299b50b5eeb25c9c7cbe5ea121469ed51e5ebd84c0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
267bc411c0097564a0af87a13c4bf1a4

SHA1
ad31f543059ace2aeb82caf06025cf85b817a29e

SHA256
61b4f9a290e8eb1ac41a48c40fb7f0bf1c4e27bf6a15fc385d0e129698c8be45

SHA512
d9cd50bf0a048915ad7833703fcf14941c8731038e2b416283303973d3befe6c13bd345e817f4a77eef4efab85713514a04945f8f4dbe34e907ac26fa971fd5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f3d908f8c36846f767bbca56dba3d702

SHA1
5c4f4e21a8994830200935c33b1336dd1e9ae0e6

SHA256
27af1d9662ca9ed70ee0ca34bd00d25f949bb0b2c68801bc8b1c8c78159803f4

SHA512
d5624884148e5a1a519bc456a723e57f8f460d98d2a435d1c5e99b8af763e6b3afdb567f27c56c0087167dae63740f5cf2ff5e00a8ab2fa66cd8c245754b20b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d111420f516a7b512ef311e2d31c778a

SHA1
154994c6801a5e82f05e3d1e30ce9d5a281cf09a

SHA256
f0d3b964ca6de6e57314d16f56d5171cb0a57f07fa4c567e08afc457c482e6b7

SHA512
d35d106b18276f84034460b266d684ac8104c0166de142ad0fa65e7a6b19bea10e091a595eca164e7ecb2f2414e408ffb9cd6c252a321e6719d62e86427cf61c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1e6384ff77c6dcd2f6c62d939e9d455b

SHA1
76a3bea482b347408838ff6228547b1487683283

SHA256
abe7fcd02e358b2993be01a2ef7b7480a20fad7459033d08209f469c548c46f7

SHA512
5704845fbb58ecc18c3d4b9d3a7c55e22e813ad29fa39afe0dfd402923bed4bd921ef360fd11095a0a50992edcad0a7008290e21ba12ae8431d952d9271e1541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
cc34ebcc16d314b89d4744dc7f88f526

SHA1
58c36bca92182d271c3a931a206d52e77b42d67a

SHA256
0b23608541df7b4df9dd6f9c60c6d87a517eaa7b37f8ab22068a2c1aaa2bbf07

SHA512
3ef9af7047333bd75a7ffc0fc38c75edc9078ac025d48bb740b13861240e67659099e3946f7355816c79a7e2cc82704618a084a1d6f0d15876ea101a3f3c8310

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5e664e63a4668213e674ac710edf45ff

SHA1
9810e0573b87faf2d87a47f97b350a07ce165f59

SHA256
6ab01171ae559e47def42529e1eb8234cd9ac74289dea08598ac9788c0ef2b42

SHA512
e868f944db2a19cf261165cad22dfc3042d80a47f96f806b679b6ef3f3e9fd2a0d02d894791301ca0a5f10d91a10d4c59c31e7366c15ef277e81dcb2870bc338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
172ce257a3677fb48b2b4e2e347df671

SHA1
2ee44d806094f49d0faadf7e06d9b5e0423b822d

SHA256
f50e474e7b5e9a1c50cdd2978b8ceba4312f8a12533ebffd6f723aa0551fbf9a

SHA512
d0d3429d7b4c5b72e87dab3b71252ea74e0bf0c0cac35c21113e0d550e92988468437d3ce29d70a18ea7c814c8c90ef83b03c0f407728d105a967ea8c400e7cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5a9b2dd7a3ac297af0b29c506414a922

SHA1
3966578dbe65027bf6b35e77543d978dcdc64cd8

SHA256
742d101810f964d8479ca46cd8b020ac11edc14bc21d5791ae52ac10dd644cac

SHA512
37abea114745204a1d88ed70fa488a428b42700ad15cca7da4d5a60a0d3c6c15aab6cfa69cbc90dbfdb2943b8817d45e7d5af8bdbb78fc71d9371691298999be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3be7d708cc285230111e791ad37797c2

SHA1
0f555db32e5d4172628d99da2fe30aa4664c2311

SHA256
9108e699e42de5a2fc9821f61dd4a02d90b38fc7b24fd3ab43fe051e47e62050

SHA512
847a4fc8b52ef1fd1d025a9d3af6edd8762d0b8b71f43201ab3f06f0765c2509d96c1fe76500f97ded39616099185693a18a66bd04da77eb66060ee645d9980a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
69dab67bf616dce1b808483356baffd5

SHA1
e1c1a1dedb7d2af7cea6620daf093910ec2ee939

SHA256
05d5b107693cdf6765b7c5404d0204c873a610f9f9d0b0f03bc52e0eea76c8a3

SHA512
31fc2887b228bf797472fb3f2950180315d8ccd72cb3e9131d51696d42673d7cbfda1955f1f21aeaed4fd7e304abf68f1239ecf73e708a60835ca8eb2511dcc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
ef20ea80d879dd6d9f2074a95e264b04

SHA1
93f4badcd1b564945c6cdc40af33d7c699dd3f96

SHA256
fd45a8544d8aa0d19591e130cbc6e238dfd1674b15ba310780aec57019e69fa6

SHA512
70e6df1663675fad48afab1c5dcc3a7245e072d78db76b22732e0a86816b1683e7027c54617ad9978a53de246957c61ababfc3678dc6c7d4bfb61f505d2ab4a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ad91f9e841640d80fd55ba151d5ae2cd

SHA1
6b598b485d2bd8e8cb408ac3d28c0870b5d45b44

SHA256
ec0b745d34e3e109a50b31a9b172ea778f02a45acf19aa2a16033cd233b02242

SHA512
8a37e79b47c36aafde26b472862aea739732c9e5d188b23d2779e97d495e50b0b62abaef599ee898f25f83d4b5355d23160029cdb9baa8bbc12179e9fc71ddec

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e32f00623420828609d5b81a1e087181

SHA1
85358297481b2359d528fbd38d50339d7185ada3

SHA256
7f0fa4fc52305fd5359d0ab16dc762b0558e504c452837f892231ac69e211e0c

SHA512
6a1403e8031e1531abd47b949b51b27e2e64a90a6b1ba4630123cb98107c899b37bf351a696c62061a498c8f7f375e832d60db3689badc8d7eb33a5fe5a07bcb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
fecdf7eaa6c3c16943dfd486c0af572a

SHA1
59aa2dabb7cfe10fdabcfa6f34c9a03c37de9b49

SHA256
cb38e6113d19a05b637b411131585094ac1c20d376f6e4852abc078057b6e07e

SHA512
63837803791ec09a6a26b55d737e983905fd4c8f55d71d31f19d24875d347b4a6e2100b2b900f4062e67b6f706555eb4cd5d956d2ce503b4138a60eb3407778a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9bdc9eb6a584398a9b8093b855f40348

SHA1
2058c816dbbca2810483060ca351205d09b6bdee

SHA256
b06ef6cdcda090e1c3abb80dbfd22991421a319a7d5a7fafbb815d8a2ddede20

SHA512
8b8593809fb1c4ef4b56214afed48f6c1409d63e4f4e184ad7c7e489bdcf1925b67914b219723994c993e0dfbd6122dd542f1dff6679e1e4f998945728332287

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
20b4da942b30b2ea1f89c4ecf309503e

SHA1
342c816ae833461d1f7dba515d8ed3a8776b0ffd

SHA256
32e3775cf69be668a83fb17a69819ea9e65c9820faf8fc20a10bbc028890c85f

SHA512
0c6ae627f39c82f28d50de799878e45a837b3c3fb3d836c7bdee9c8ea7fd116a68606141e5e7ae5a9c6742818c851c0d4d0a167f01296342fd032e9499c7373e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
cabb89a46c3098048d43c510e5b2e696

SHA1
c6e31a00c8753aaaa2c84c2bfcd0e1aa056f9095

SHA256
9703cd6641aca2f70105608340c450f7cc30f84c1d9d066ab0f1cf4bee11d83a

SHA512
bb3be5dbafc93498ceb2de4ef50febc13025089e0af3acbf31a8eada59905ed49fe481018513b8fdcae8f9ac281965a13703d9900ed9e9620268c82505302a49

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
db9cc43d0623e006b8932e487650e33a

SHA1
4259eaf581a9072806a46e9306668acdea15845f

SHA256
0703524e64ee91d3d1d99f1f98d0276681b7922c834f37144362a81a511b594a

SHA512
641991324710722440c1093f5dbd6d4440c4b9b1718b46f203095f5357045d281afe72d5ae2b64b6e9147ce3b26713449abbe08cb810465949a4fbbae83de1fc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9de38db5623e1de4945d6be91f4d4428

SHA1
40ef15aabe810753e4a09dde577b91177511fa7f

SHA256
92a2a9de03db80c4ae4cb316e45b84e5e2aa8e228b2f4e4272560f7279095be7

SHA512
5754763310e80aa23c34facdf9e3baebba59fec6e63ee1def309451f352c3bfb088e9b6cdc5f223a37d898cdb5033b02b4b24215c9463536c46c1ccb489f219d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
df7b61e7fb5cc4811a5fafafb79b3668

SHA1
66a80cdad8138ca7e939ac1133379d050e2a76e0

SHA256
fddd88b86288d228a04eb9a6eb4f5f0e81f7e9e5b145b3b52656e492e9272e64

SHA512
b6a9256ad848ac435373927b37a477a8379bd020fd07e89daa824073e612e125cd14482aee92819c9fe67ed286590c5eea0e33a4191189d8c005d89875914131

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7f995f2f03a893dd548ebb088dd37f3f

SHA1
31a15a5ee596f29865a2360c24be249092e49e0b

SHA256
158eb9d6a9e7c04090736992de7d1ede7498def37a00dd65c53e1178e2282bce

SHA512
5836551d074368dd84cbb6a1b3c468d29c23f7b74ff0ded697cf131a3be8f1279dff37538e23fe126e391202c9eae8acd32d190c844b25dab633a3e67680bd03

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c80e53ecb7c27e13abc72d944fd53bc6

SHA1
53373b6dfb09a0862b6480fd534b7f674460f2da

SHA256
af794b650b727fb70c35e5bb8ed7575e4df72b634095317ca3cf212f175fc284

SHA512
19bae504f8f7199481fc810e4f7303720751bbda8f5121c88b6b032cb3eac346e5f17a9318c63467d549cda35fc44ce2c82f2ed39e1f31aa288888ea142d1f8a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4a5c41ef90c9fd60899ba913f106140d

SHA1
f25ae118d43e78e5487d24ad25ec9483dd0f0495

SHA256
efced7de00ebc43d187f7b3e9cb4c90478909cef4fadb5b662c28bd1a5feaa7d

SHA512
b4551a6caa052dda722974a31488c070e3d66c9a236d0be777e432097080bfb1ee4bec1f787c4ff64f1db3d5fcb1dfea0f3ca401faf448ebbed0d9ca1c52beb2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3e0e86a25e5ac5d3f7fb28b2f5163076

SHA1
8ed989754c5b70c262f4bad2c46d65b0bfdad917

SHA256
29737e1a6044fbace3304678fc9d8796ce491a318409f2dfc2bd534b74b2efcb

SHA512
4526f1cd1bf2b514b483b158f9446f40c2987f142e44b90c161bafa02c8f2ea63239af3780c46ed48c831b0dedcf0c8a46b3d801629c9d3cc2b3740571a24862

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b033fbf9060c250aa712fee154edd00c

SHA1
e5b5513041f3593f5166208e355c98d7a21133bf

SHA256
793caaa1c00958357d95f0f89fbfc9917b2b470dcfb7c6c426c3db7f56d6982a

SHA512
513208996e779c8618e443deaab91faf439790246deb917642cf90d88737255386f8974a397acb87264720111437bedd8a9f9448bfab1abecc3c47e693047233

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69dbadcdc126ddf766948d45b103e051

SHA1
f7d7f31bd3c7b5c682c9a8c33643bc12c7eca053

SHA256
0247f3578ea2ad78509d3d532e9f77b1e16cca2d9cb117047d4bbb0676a6d5b2

SHA512
c21783c678fd464a10acd0225f11b638d4018b7614ce9277c2376db0d94390f3134f4c7102a9415ab29ebd356397049f596b96357bffba26aebf774710fee37d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
731e48675df8e475c692b4581a630b60

SHA1
d9fd78052442c6714f566124aa2db5be62df01a5

SHA256
5f3b6497b8c1629020f53b7adfac39ced12f9a052999205cca68c0c0d9822c5f

SHA512
d18f1207ca399d250e1ec573f904895b0310962fbb1e11607ed8046a3d1bf6e836740e4e2af3df88a5ac1097cab24574c4e3e6dfb5b66a4907f089815c84de60

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4a2f9ba734de3a0e0242006640f8d1cf

SHA1
a2266dedbfe5d9b4aa6335f1bc8da7b735c50b43

SHA256
d34cc3593261460b072f9f081a5f5cc5d278ded632e09c706c3db56a1a980e88

SHA512
a9bdd3a0f7f39b2d2db9439a18461bf919f0f50713a29cdb76d6ce3e59b292194070e98b70ee349d5d6345067af263154c190fb454d0e9d0328306ea1452b825

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e760f3fd0dcd235ef447f3f5206f8927

SHA1
ee4fc3e7a899067dfb2e86ad2aabd9bf9598ea10

SHA256
f9e0d6f3da440722098d32485e5b4a5e7e16ec4fc2afa7aeae84d7a9250fc59c

SHA512
8cb49eb567a39dddb4097210859ead59502a05462279c2068260b615128a3d1a0e00a4873ad8ba3108e4131c4a263a7f867bf6633cf8b247a7ae70a7a0a52288

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ca744b1a5d75c00c9ef917ae4e5fae2f

SHA1
9d6462c1d36e904709c8e20a459ad321fed85229

SHA256
047b935c802473e8acf84f759e1808f897f6602c09002c1afdbce831ef9735f9

SHA512
6b7b60a035a919dd835fde699299a6d2ac19dd75ebc26d6ee1e8de17ffb5c60da70fd662cf8e44bf6ea19cc83bf89cddd68f26a02e7213a3d8baa30863657ed3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d5de28dd4063470ee98a9159838570d7

SHA1
79125fdf3c4a26ce616ebbbcb0537f1e08a44133

SHA256
51deef85b47193a638b7b9d1686f63497f9036dc29578998de58733f54b025d0

SHA512
a7fdf489b3bcc8d366063cb3fbe6d8d4cb4a30cd3cfe3b3b52d9e763fded909cf1d80d670499d9f0cf0f2f2e388bd959a4f63f8ece0f702d1f391423b22ce146

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b54549f15f4167dff17869881a9f11db

SHA1
224974acdecf6adf50afe55a0995f4830b88bc48

SHA256
9885cd0616d51664e8b72c41f84ac041eac74e5f5f0982621b03c9db05b7c1ac

SHA512
b16d4e87efea02a2939f2a6190bc04e4cc171c53ec409fd5e8266d69ed2efba50116e7b7a04b832571aceee89d8f5efe862d4a9fe6751875d8b2348f232efd89

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fd7ad5caf041609d2917b9a532b39f46

SHA1
0ec7c97df15604edb4b12c695c2c43c91d0c7ecc

SHA256
f8086fe77fc0a8a0b863bc43be6686abbec8ad34e2beadf3778f1563d0e4dc43

SHA512
93f9518e703f647bdc17c152397d7d3e2b0e0a99a33aebfddc686f414fc7fe317afefdfc85b79a375752e4a65085f3009bc94c397c2e5c922b3705f0b8c1a5b2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
94f3e31c17071a9f753297955a0d6498

SHA1
ce7431fcc82e9a9b2768bcc67db1e48be771f3b4

SHA256
cf40b27ae0a14b7440263e1a039504aec584ec0c71089e4dbcfeec4016f4cec8

SHA512
08c434ec0228262080ce25e68509618785f43a07ea2ef8884e2a4e40e09a6a17bd1d618f7e4f5120e4c1638a099fb69f185984c5e0aa191144ef6301f7f13f4c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5db8ad18adcea82f7af6967ba03bd9de

SHA1
742f3364ee6160f454bcee8f2bed7eae63c5dbd7

SHA256
e69ca1e0a9cc04a665f731708b51eebf3d2614919dba489f65a6f414b6c2ca03

SHA512
f1be9dd152819aa489035d1cce6f40bee1e0cbe8ce5d8160964f22f86e3186457bd33bf3b9a238b50223d8de2c27c307739c4592b4c7217f9deaab52677bf31c

Download Submit
memory/220-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/220-500-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/436-43-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/436-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-37-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/436-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-57-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/704-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/756-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/756-505-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/844-470-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/844-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/844-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1008-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1008-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1008-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1676-89-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1676-88-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1676-208-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1800-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1800-506-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2276-128-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2276-278-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2368-126-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2368-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2368-20-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2368-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2404-502-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2404-197-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2480-229-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2480-101-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3040-127-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3040-35-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3040-25-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3040-34-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3236-138-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3236-435-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3352-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3352-508-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3508-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3508-81-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3508-74-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3508-84-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3508-73-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3720-161-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3720-483-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4108-115-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4108-235-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4588-501-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4588-194-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4692-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4692-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4816-6-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/4816-1-0x0000000000B70000-0x0000000000BD6000-memory.dmp

Filesize
408KB

Download
memory/4816-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4816-100-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4872-48-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4872-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4872-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4872-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5112-507-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5112-280-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download