297f23b2f2c0bec15e5c51d0d13b561b30efb183a3e343cf60f249ec9611096a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Size

1.8MB
MD5

5a1e8cd09a99352e86e4d26f4811238c
SHA1

ac576d2920817e2e950b6d3089ddb8e733960a18
SHA256

297f23b2f2c0bec15e5c51d0d13b561b30efb183a3e343cf60f249ec9611096a
SHA512

e27a602ec25e53660e7c6b81edb77dd545a77acb2c4ec20b710a596d2c7e5d67adc4a69a947f89abea8eb5138b76d5a5a3933dabc46b8351c4f028a55e46299d
SSDEEP

49152:sE19+ApwXk1QE1RzsEQPaxHNWkQ/qoLEw:R93wXmoKCqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
544	alg.exe
5040	DiagnosticsHub.StandardCollector.Service.exe
2668	fxssvc.exe
400	elevation_service.exe
3836	elevation_service.exe
3644	maintenanceservice.exe
3100	msdtc.exe
1480	OSE.EXE
2556	PerceptionSimulationService.exe
2336	perfhost.exe
1556	locator.exe
2620	SensorDataService.exe
4564	snmptrap.exe
3228	spectrum.exe
3720	ssh-agent.exe
2836	TieringEngineService.exe
4288	AgentService.exe
2704	vds.exe
1492	vssvc.exe
1740	wbengine.exe
4080	WmiApSrv.exe
3824	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\27590f78b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddbab8f58fabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b31294f68fabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b425a7f68fabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b21f7df58fabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a92869f68fabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075bd7af58fabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe

pid	process
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exefxssvc.exeTieringEngineService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeAuditPrivilege	2668	fxssvc.exe
Token: SeRestorePrivilege	2836	TieringEngineService.exe
Token: SeManageVolumePrivilege	2836	TieringEngineService.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	1740	wbengine.exe
Token: SeRestorePrivilege	1740	wbengine.exe
Token: SeSecurityPrivilege	1740	wbengine.exe
Token: 33	3824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3824	SearchIndexer.exe
Token: SeDebugPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
Token: SeDebugPrivilege	544	alg.exe
Token: SeDebugPrivilege	544	alg.exe
Token: SeDebugPrivilege	544	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3824 wrote to memory of 3320	3824	SearchIndexer.exe	SearchProtocolHost.exe
PID 3824 wrote to memory of 3320	3824	SearchIndexer.exe	SearchProtocolHost.exe
PID 3824 wrote to memory of 3152	3824	SearchIndexer.exe	SearchFilterHost.exe
PID 3824 wrote to memory of 3152	3824	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_5a1e8cd09a99352e86e4d26f4811238c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:208

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3228

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3320

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e0fe7b3d3fb771a11ef3dbc32e9371df

SHA1
247e5532335acac81444dc548b19886cff57533a

SHA256
7ba99dff7b92bfb2fd7b9775a8cf26560ee52168a49f38b109310b2610d9b3b5

SHA512
acf975d1a30acc5b60d2ffdeb53c8d468b95cdaeba33a60638d28fb0f7b71bc771a26c720a4de1b4953b7e5a8bc080092899af6e5b02685c50e30bb17aef1503

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c805cd569449bfac8593b8e5a996a241

SHA1
df019ee83fc5a7cf95abba407cf3d18b4cbd1179

SHA256
8a4d08b7179b6f998116896500e768acdba72cc3a280f50a96382f63ba6a505a

SHA512
7558292ff2f8de54420231f08bb3baed23ce505c92e3d8627494b1e763c279fb16ae37b38eff5662a1dbc476f481856ca1bdaf179f9f2bab6e2f8e99bdc92fbe

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1dd75758a8f48e31e57a6958b770a028

SHA1
4a1d33e12e33d688267d711bb7eafe3e2c311f85

SHA256
93c76e6cedc6347f9172be3841f2501e2bcee9231d88b9f20ba9a429fc680328

SHA512
d2a8b3539c04a1322a02f63627563a882cb3b059610287f011d7df4927bc5f3036462cce97e675c08771e7a15b2786d9d68bc8e747fffc3377720873584a8051

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
404fe70b2a43c0fba992b7c6b1eb95a8

SHA1
6294e7a7921bb24fe498df6f970ee275ea981457

SHA256
584eff256689493dad735d0b86944a63924143e6ecff88d7f9838ae3dacba02c

SHA512
df7b4fd351ceb17d1eaaa145c9c504ec5030bf6b7278b1c64864736b076291e41a2de841bef7d23078b924fc0fce6290296cf698753830e8481605806fd57942

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3648a9407db8a3bc69eb454d0a48830f

SHA1
02ef472a60d097eb976abd17b3aae547e900a836

SHA256
bd51046ff965b14703e14661f26df9bbd7817ddaff659b2e9137d0133608cf6b

SHA512
55becf05a54a0ee24209bea231f69491977912677bfb6445fd67a0e5a8e798ee1625d693c74eb5f2c87bbf6453b937fc4c89aa391e37dd8f2177272c186c3969

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6a6350c63565948335e0c9e2c33d0aa0

SHA1
6e1b424aa2a966d3ba74b8a86183b4a1be270618

SHA256
54f0139ad2a6eae376e7ba3d3cfbd50ca54406d71a3ebb1fe3369f995977cb7a

SHA512
ccfd13b514ff6ff63c051ee7c217cd416e30ad8b800aed74c9c24dac10e0845a37fa140189e75debac88e2f5a50cec2340e7862acf8c6ee59a32c83cc6c3761e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a0844072098778e9affe2a24765e86e7

SHA1
9c295381742df8ecfd4b1a1decd42c24c3fa1554

SHA256
3ebb610df07d334283dfecc44281bae3c8232951805f51505ec4e1e79d204494

SHA512
fac756fe8cea60f35c64ef6422fb7e06ccac0fa93702a139b555b77b233c2e400c8107b3dcf9f0ba156c414ba7be7d720c5ef02076e43aa576665b1eecc82685

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b9e6082a83f7239e72455b66abf8438a

SHA1
d2ca1f81261218ce5f4acceadc2a4d72d35aa219

SHA256
cae772a63ff435c4109f9fc45f977caf51182a3d1911c2da3cde709cbeb07d78

SHA512
458ea918d3622cc11222d091c9427cae2ac27e94b5fc7b636f8e48f9f714bd01e960fd48bd5d941e8936019cd2018c7bf3fcd3d51d577bcb697527dc276853fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e0c33357d9e60934fcba065b2c0bebd2

SHA1
21f58b6aa7d19c16868e4a94980e6781f946ea5c

SHA256
2c5bb0f1f6e2fb0d5a902cb47bfbd202734641034647ec1089614dafed87f702

SHA512
f91cf8a931a88b449177f20462d23bf56480eb3dd350e09d3731f44bd932ba79ef945a59749d647aeccca280f72e6240cb0a9ffd3e842454159d1c85c139b298

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
05c4447533b8973349500bc1903c5571

SHA1
3b829dbc8436871f822387289e00e6db6ef7251c

SHA256
dc13aec2834966347b4e599bc4be6329b011b28a2d5a4a5b87627e3302469d87

SHA512
f7b1d0ca950f51b3ee8586c5825ed09b65458e8a279ee4fa9576a324d6fbe24e6c417e35952a1b8e659887dad537c62c8d7439f00065904001caaab9738e51bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
71d347d4de5407eb6940dac5f6eaff93

SHA1
e30657f0cfdbf45b554e2202e1573e35ba409486

SHA256
de7a1ced58873abc0c20b45474c22305d1ae4a1dabc4af053f691d37c8e571dd

SHA512
b5c73b878f1c5f179a795135de80950a3414f4f47d46509b9218523b12806f9cdc71f79181abd01a7538c8289834dc48a7a677d63e33f528d76f60a6cfe501ca

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
64d7e6ba2b6ab6b7cf8a42ffca3a6e20

SHA1
448f4eb924c40dbf5342da30e69c72bd2b790f41

SHA256
e4cc1e40b945221b92237e3f09099d16343b976e219689d1f862450e99ce8e4d

SHA512
5a5efc30f0931711dafbc21b164670497c3f48414841c97a9973d4500e54b83d519a8e5aa72c2363f663ecdfd303c6f4b74c4d55dd02c641d34d169beb1f42fb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
11f267935de7c4e203d461938a50c42e

SHA1
08f1d200398d6f808d0b7a8c65e06013445cbff2

SHA256
23b0c0f35e77d8dcee6f71fdbed4b271b5eb12f852182d9bb5057e596e708d1b

SHA512
7bf707ff2fccc47c6faae9b187d0feeb832f0e986110ae249126fe13010f09775d503f8631c894d1a30741d237c9b944c3cdee2c0fe49b6f745ce9733eb1e933

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3bb6fa46e3bc5a7f51b8437324946c8d

SHA1
27d3f72168a80a7d9eb21b69b3f0380a0984a58f

SHA256
0cf5ebb1ca886114f5f0d71251b1e076d345907e2f21891452ff7b89bfd84694

SHA512
d26c3d86c7256fe19337384d353e2869cbfbf31a38b2db4a0b954283dda28d1bfb2285470ea76dd6cd7c7b3701decfe0b615c94819253404719d09f49a7e44e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dbc313ca766cc7ea1ed55da97d796e61

SHA1
cc273c3f124c60afac24d3db35973e6ea2102583

SHA256
a488f4e413454fe22aea5d3f1241b004557e1b30bf06e1bec7b9101417f13fc3

SHA512
09c10e4269724a9556495bd8b3c306f5199efb0d13a0890aa0622709624051817f1704809f09b33e969ad2b717a4ca4c3d137799aa19ff443ab8288620c582c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
953c20f1d8a85b98d1cbb2f71a54be9f

SHA1
ea02979942ca6e9b2fdc95a925a8102b4114dfd5

SHA256
bb2fc4c98f6f0359f7254848485014385bf41c6fb7f77ab3d2faa72c9f550a14

SHA512
55f1d47c028a46ff3758e405ec0fbddc052f64aebdc3f8f2ca41f4e416c30ca68fb484716e653f3a2e725dab306a478bcc7cad518036ceff3b0e28fcf7c9db97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5fadc6f61458a24ce67cb433ca580cd8

SHA1
5e38825a40fbf80b22e46a5791e7f32b2f85f7e5

SHA256
d541741c6f958b7ad9ee4c2015673d4c1adc96bae492f6cb78045d9ea5bb3fb7

SHA512
4da74a2c5e8dc44bb5b7e47f3dba1ea47d2cad2e2fc8897e3ddde48433e5296d740f4824c5f51c61539a887e8fe18571858138512682ff52652020cf88f31e8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7bfe18b021283589e77e343b7bdf7fda

SHA1
92e388c45af1e458f6ca7c8bba3b6d5d7be395bd

SHA256
df25c62a1071bc678f6a4dbb1e7933306fc90d213169ff88b0f4bcd6c9c9262b

SHA512
17075bb9f70c0b5b0c9afdbe63130aa7bcd8eb749b24dd6d014f8308d324db3f7b01582833920814a7e24f9c2f5a88ae91f7e8a2ea7131846295e2c7902aeb40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0738766d59fcadf715e7e779ded9f419

SHA1
35f3130f8bb458c9649bac35a2274d95308b1f20

SHA256
fe772e589c8d47e1e8da98bfca0513bd134743097505c3d1d193e9601cc3da5a

SHA512
79634ce8949c1ac2e9fa4fa7dd58ce5ab7ac25dd6b051f4ccf21ea90825120b03dede8e8dbca41943aae42b05f6aafb38d53b52ef6dbec32ab967c32e1ff2be9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0781d110878d9721683efa809a08f377

SHA1
0021b77d6d2786b5243d9f7ec78caf900f55f811

SHA256
fd24b00e6e23b5e56afb7c8b522440512750e87e594f34cbd133a1580e37d732

SHA512
e6598495875c95d5e82e48c8481443a024a9083d696c1f5f09f3579b92cc24c589be89adc5baa6f38a93fbe78d5dd9890cb5f4a64ce94dca7f75797e802f4ee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a2ce4d6d9a5b18cebd6b02f77d1e6916

SHA1
417610c2ca9541615a9002a23dbf1739860d1257

SHA256
3c8778ff1a31c54f0bb0efdc487091709a0cba2f961da2abe520493997d3dcdc

SHA512
d2b1fedce9a6f8e55c904958a77994428b663ff679b905f09c485bfce0110ddd5bce558ce7cc2d6d7752a8e92848a80af28c1c1ff4e09911f5b55e5e1c3bde64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4761a7eb270328011e380e20de693938

SHA1
b9508dccb8c59b489c298ade0396db777611b7ae

SHA256
2d544e6162c4d3f1123fbda3c3047d9c4d0f4170f0c894ba8a77b23ae662ed96

SHA512
bfc8ebd22181090b1d70b6bb75394d78605429274d185c750bc172886918ed0c6330b7c6296f72d65453d79be71f075412a36e890a6056331325c2dfb39431d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
27fd404265c18d6b71492a10efdb3684

SHA1
e2be640f4439a6b991cdaa474749e626ddf85a5c

SHA256
e78c3ee499d1818bee7eb01d34ef78dfc6a2a53edfad672bbd86186b281bf6c7

SHA512
2fc08d453105435c4b2cc04fae27d7f6c4ee955e818ac4bcb6bbe1bbcddeca23a9e7fbd340ed673338f52e556c89a238298ba80ce0e011c2ce61a5003f6000a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3bf6d298e6ad86605b8b423f6d06edc4

SHA1
75dfce9d013bbdb20dfca7c8429b2406c65afa7a

SHA256
8d55cb9a53a372e336f2f27136115cb3a30932d51c4ebb0445edd340ef71e1b3

SHA512
4128dfee4e783fafd73fcb566c06209c376607baf3a61e9ff5b39f54140d32647452e0f4a8ed545bdf71ede7c760fe8884ca54fbef044ee1465390bce7abba69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9d239c7781ad259cd4be5933dc5915aa

SHA1
beb6e5cc60fde8622b6583ee375d15b6fd501f7a

SHA256
03491e3531e4e59b566a180bfa0ad0a1491dea554e79405a9f80ce60902030fe

SHA512
a8e91d98e219acd44433b9e9c4907307d7f7abd8bc629bb18d2af8b04143f9ca07182b13caa3b73f08a4072f4a375105b0fcec49074526ee3613ffc8f84af77d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
94ccd122053a57af31319f6bb311ba07

SHA1
c9e58baa554bf75bfba24227c8979a9f7595c712

SHA256
fc91119eb1a152f806770131362609a65b36fb179ac544c1c6ff12c23cf64577

SHA512
c68f46eabed2a845b3696dfa8102c088f83ad56bdd89287c38b4be0f5802cbf8ef6d705c2f95f92d2439c55055ef0aa20f1ae7e7ca9e6f4d5f4e596230b01096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
abf9401c57f3203ad930dec8d294d62e

SHA1
0e6dcba06e3fda2cfb49d12c0ddab5c525901190

SHA256
3db1b07db7c056370b1d596bbeb93b82e33bf950c2853acc5ed1f81355f179d4

SHA512
f196574e17afd5cc3cb650d4c11fc0f7e5e5b252e1cbd566815cfa1fe3f02d1cf7ac89b4855df49a2835d3bb18d30f568537f75b853392dd2823ec18751caae7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
033d497336e5ca937e7c66ec8e8d460a

SHA1
f7a71bc6c8203c610d75949c7f218c818666427d

SHA256
18c276ae808e67227cdbe068e94afd5aefe7fd34f8605c48168bbf3c55b88872

SHA512
e78afaf94b75ef978d86b576a869863d1a2723f0030c290c619e19f20cfc478a4e7197816204e43b4559b630384a4b33bbd5bed37bee94426fe7a84c83811894

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a45682fbbdc443fbca3969a5c4d914db

SHA1
c2c5846fbe662fc6abb64884fbed399e1ec6123c

SHA256
8c9db0381d23d86b785f7c1d58418846e7ef3e818d671a0d6a696cf92c0dc14a

SHA512
de183c2588d7be66ceec3753d9e4278ddeeb257ead89bb68d629a829d805c218c884c45e42358034624f7a65e423c106000d05400cda390deb17a336ac420ac4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2d6228e154d49b9296d0850e157cb4e8

SHA1
dca9a556caeaced7a31e1dd089b6ebc90c4aad58

SHA256
7a882ceeb4da50d77f7715b813991a2ab2016a632180b65dd0b0bf81798b9ade

SHA512
daee5615e4ee6d3d26b1b46fa30b54b98c2119c3b8331c9027bce14aaeab5f9e8fafeb17b73edf8ccb60cf7d2472a552b41187345705e1c2f9733a14369d4a99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
045cc3d201bcfa70567c40b050261cad

SHA1
34a278223af83dea5baa7317b41372ffb6812605

SHA256
cd8e0b8ce5921831e8ec94b04bdbe0716550fee2e2fb61a704650107a59f7dcf

SHA512
860d6126957fae33a5aebb36341e56213eb2975f04222a471c317ddaada3a4ca0f045920ccc9712c5b0a5a631947f6a92cbc591fee1923dd66451c16f8084c46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
53579e40a7bc7bc880ccccedde75f94e

SHA1
378b2f4e825563f6e3b44cb26bcb79de5f6ed0ed

SHA256
31ff85d1f5794169765df1c68bff94162bc294784a87944c4eba6538d43418d9

SHA512
c96a248f409ed48ee2146efa4e2fd57d6a1c4d06fd2871916c8e535b99d9028a4057d69332de2bf2425907267525a60fdc53f1690df865709df64106ca7247f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f15618f36bd631717726d5c3dc2983ca

SHA1
f71e04410495f9f1628c75da748e6e590e64f2af

SHA256
ae5fcd7ff8dfce6f81ce8d4f497ef9492acdbd48ba27017da37e1e501d154027

SHA512
705677234325aa9f0ace57e04e353f67d5ece1105d163ab870a73f171d853c555e5b5ae79f40ab07de14d7d9647f3ce9c8e7073d0501c0a6aea31a2fe90d5188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d5939a9fe06d3953735692fbe75208f8

SHA1
61daf71084bb63913747a20e2542b1372848461d

SHA256
a5f5cd614328d36db41762fd1d6c2af0321dfc172743c2af7b142342b3ce99a3

SHA512
027d378b21262f8fb082cb8d6c82c45e262fbf53f956835022eab12f55e92dd39f89fa0663b23d4d91e81899382bd68a717e1f51d0a600cbe1794ba746bad452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
43cf4e6870510cb3d7538da537ea0c6a

SHA1
3f60db6c297a7036cfc98734815948b6ab7b5a2e

SHA256
1ec38940d19f052ea29c5631be3b4ee974f62170af6ef91ed4c8e91408d23eab

SHA512
c4b3fcf6c7ca0f675e3813266c4e355ff826614d432428eebb8ec0644556ba9dc00e449a0f38391621b32caa6ea523b7a1b6dba087a19d7709900b54f94727ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
24a9deb8e376d9f3237dc811b7bbe025

SHA1
1ccfe783b90135c899c21d85977c81a2d3877993

SHA256
bddf203207ca4604cce1ffc2b761598c92de8b3a4b57de242fa2452cb9a7fc75

SHA512
54b2dbb121ddc97a0509b26eb28ae982e6d0c1b0cdb290960c00531560c8e2241da66310cbe69643e1720cee801550c1e652e5b2bf25de46f0aa61eb0e326e5a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
46989193bcb666729886ffd86873dc97

SHA1
4f6a4d5047259c7bc3cb3902471748790b115d02

SHA256
5654ecb02710650fdd8e9fa3a4212dab5bc11464c0cbb1abbd256e3effed1537

SHA512
caa1c7fa241e42608cf5269b5713080c4f95bd88ca5e23191587c25222b218d1f07bac5b638eb9b376dc77c9462211252cbd4eedf3dff8620e8767fa10529a07

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
40363fc8ac3605b2ee56e3e63002008d

SHA1
6543461fa39533aec9de290acf471c87e25bdd17

SHA256
9686b6856e10e168733c70d0f6a952aa5d7f29203b34a4029e70e6cfa92e28c6

SHA512
a729479b42d53c52085b149b0f17058fa077f80d7556f6719b8c178afa7069e4db5b7b70b74eed3932a89a8069e8d6612af0fd2f0d2543a5efae11c26ae23852

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8868405b755efb349f17c31156dae882

SHA1
f08268c35db95d477a5fa5fc40f6430649de4ec0

SHA256
9cdca61ff22ca9cf9c1575293e005f0dc538e54c0a8e0f53820869ac772ccffc

SHA512
7c30da5d4c17f729626b22e2ea47cb37e5a5661d5c2ca53b58b91afe802c6ce03cd2d20d23d47f43334f20ac9f38262b8a7693c747da0728a74cb207ce4be952

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a5ed98aff5f054b41e3264d65dfe68df

SHA1
507d8cfe145e2b89053559e3a40dd81069d1d73d

SHA256
290da327d74299f4aa96a2d3c9e3c614fd4922b13ea4b9c2253fdd7936c9aea8

SHA512
d9f7bf924117abdcd2c492fc872ba0597baf0f979db15a0396f2b158373aa353f524cbc032370f5c056c282033c029b93dadad82cbcea389cf14f0345a965f7e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4e42f7b186d3cf4d65326e3b93dd207f

SHA1
a83414d476f783c73791367b7bf9ffc11d41e779

SHA256
eb2593a7750b2310edd042afaa713f9b1b819a3adcdbc05e90f6120954a95bfb

SHA512
cc5373655bb2a9d40cf33bc9c14ed5ada8f751248eb7b47423bc4707f4825d41b4c082fefecceed78ebe5932a8ca31c3c96dfef4ed699b16ceb1e3d9ef22bf1d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4cca3800660a4746a2de6ded44be4573

SHA1
7d917ad5f63c0e6bf1a21a938771d7f4f5a7f229

SHA256
a00459041445f19876a9d55e26251ac28bb1fbbc9049fe5a99a3b9d3196b7927

SHA512
b2f79f617b8afa24db1e1587fa4d44998cc8fd36c6259c9e70844feb539c4c0f01469b5bc6ae53863cf0a108d6a625e1f215221ecaa82df70c07da001ac68099

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e2ee31738d897b433a187c048a31b0fd

SHA1
1bb441776b66b3fce51373f520dd2b6d04efdac2

SHA256
fa6826fd951cab61b98d9296e3b13a19470230be6c04230750f725f33d374bde

SHA512
794687ed06b69fc7d4acbc3315935acc3b9ed7178da476d0098f65e7052e4f8ebe159c9055bb83c1f9d607caf14481a35f8ea9c96457d2a9a3631d80bb483e07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
dd39b09c4e3865e79b563841b6411e5b

SHA1
06d1bc8e4768b7e9a53893f39f8371af71f2bded

SHA256
786cffe3c4dc18ffaa46ba54aaf061c49d9b39e81f203726e1759a19d83ac634

SHA512
8b2375a373a8f93c4f0a3c73fdee98b66bfadbb24d0553919c82d20c1ddbe8ebc0f67f024d51f529312315760144cd96571300c227c35374fcfb575c693405d6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
625274b5141767bd59cfc9c1dcc23cc4

SHA1
666591d882c1eadccc00e691728c3423078f43b2

SHA256
547964fb305625be2997fdd0154133653c61060da082984c318581edb3593828

SHA512
8910472db15e5238d83de81abccb27ce94ebc5604e6ec6aa30eb50594673b0b0e72529a8f3a23cc26d1afbc705bfb5101b7cfddb7f568ee70b7715c385cbfd56

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cc17e498bbb3c34eb403b9614c976713

SHA1
6d8fdece805dd6f1f5e8271ab180a41c0b9cd437

SHA256
3105324063ed7b6aee6eb86db571b9eaaa5c4d6e3d666a6a0dcb24edcaa86dee

SHA512
6e8b6cdb434b0c26a3c500ddd420f167cd74c624ff3c900011c46aaff0dfee9f1b524745bc0ce3b6a09f84753cee4e2445f8917983d82ca65b3792b9206c6d93

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
606129040d37bbec22f3ffc058814cbd

SHA1
47d533884edcf17606072f7bccccb950c9ba82bc

SHA256
669aefbde8e027e4af183ea6d8bffb87ae2393611ab6e0835f1bc1b1eea520b7

SHA512
22da6a7426ed238342c4c988097e181576d5e65bc91cc729d3320f23f307cf9e7adf6c167066ce9d0486728b4ce6aadd0c204196ec99454689d231305877c6ce

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
456eb92ba6a926dd3664e9f01a3f168c

SHA1
f35529c27b3ae2500bc6e550bc5e3cd9988aee3c

SHA256
7963064531255963800fdf5091958fe6b68f240189e062bf8499827e255c6cf3

SHA512
eee91fb74b09d15c19741250671ade65ac896035a35bd31ac9b6895e447c59c699c9a830d8cb3234e65b0278c39709e182c06c90656d0c7bdc178efabbe0c63b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1c18daba876d5d8d885e8bf0d7ae47ba

SHA1
b105a7e3599e02d6a4d04e2a2f26a64f224ba479

SHA256
fb7fc4dd81524e08ac4f940ac860196322974b2acc5896b26f0538d685382034

SHA512
cba821f9b83a3479ac557501671dd6761096d0b56eab6b682382dd6dcebbbe009a8b1364e239f62bacbc32eb86c01ec095feddec56bb5635ca08bc46d399bce9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf271c69359b1012d46f5dddb2db9fbc

SHA1
31729734ab4534718304fd559a36ac7515730f88

SHA256
da33c429da43c7092b65116489d900a3e8180abf9fe241ba4339dc2ad7ef7871

SHA512
cfa4b069d36dfd11274c993bc788b39bf235a7f8d590bf55c50c708323b3254490e1ea2eb7ec6e4677b3b107ecd11fb1b0403442aeaa8fd4fb14b7871346eb27

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
93929217f5328bf282151ee7bacf6e72

SHA1
9c3998e58eb0c90e66fbe173aea9b6296ad865bb

SHA256
65fb56297d08ff6fab939434a45160a3150632225402faf7cd935c6024dd0f9e

SHA512
08b9a0039cc55993bd737efc6c80e228a6b89ea82a7e01a78f07ae19b7881870ad574e7b81f6d932c864c6e1fab689d19804af7b6930674c34a49871c296222c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
55045163a5d8fd9e038f78b68f27b506

SHA1
82ad2d71e3e7d7a49e36acdf4aa462b5965ac4fa

SHA256
966e18ad0005b372cc24a4565f9757228ca2c08277ef135fbf18a501bcd7b6ed

SHA512
22714cb02d2eb64bcc6d1bb3cab4fafa7e5b994c86213bb84cc82ebb5121ed79908727aaac4c72167caa08376a3fc2a20ed03305e4ff580c3369fd9cdf197415

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5179cfcc048f9a6901aab854931314ca

SHA1
6c6a024da371b524f6d61faad956d49c088a4541

SHA256
00d039c9f501523ed22c7fb8494add2133d07b6f73d8969b85c086b3a8985815

SHA512
aa0d8bf329bf5abffa303caccd76d4a928bb9f4747db85fbc329191814c67b7510c8097396d312187c3f5602375e7224617f19b33bb3527696c37774fda0bbe1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b8e21db39151e77318f70583c68505a1

SHA1
149b1a4c3b0966f4b7b2168f9a3d71248dc2713a

SHA256
6d78ce1afa895f3be7add03f4bcef3ed31f25aad0e93e84db5b43f114525e691

SHA512
d3ee678289998ff38679cf1813ed92d305e23e1d57e8f5180bc189858808f95da67b21947360682993e722915c5cb2b0b1c0f873df38defdb567611ee003f0ba

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8794e3823fa6974b2bca5d2551ea58ae

SHA1
d66adfff84bd461a5db4b4640e3267525d68f63f

SHA256
c91e3e8d8a4f0aeb21cfbf5ec8af6e7726c3d07e19c7fca8f756f335be9bcf88

SHA512
9a9eb151bd6ca71f8e5dd4ebb75d8123fa9be4c9d1b520eed588354806ee8b108600ade630fe429ef3cc3fad516a8e383673c01c596b798f9c27a5bd4bf5a3e3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b644c167e2ec0ec7d867bdf5a48e008d

SHA1
0a3c5874aa42bd7afc7086ae056ed0af0578922f

SHA256
b4c3aac3a3ed14817e7ac8459ac06cce84585a62870d2860f2485b41c8c5109c

SHA512
c9899fc0bb05217d9d348ddff18d1f13dc160ff1470f1f2e587034200d86ad9c6798a003305d6c60fd25408559b5c6278c189e569c04f74b6e0cc6c3ae8cf670

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3225ca8411d138defe20d89bcfd8144d

SHA1
c2188714bc765a6d304588f6bd3a4c001e00f4dd

SHA256
ae95dacc04c4194292eb20150d073e69538ab1cd51a26af8af0b680ebb00bc14

SHA512
521dbecc6b193710a4c2d357aaf44c0c4dc1ff55711715ac8002966353c8fe16da63905efeab35002a395e6068137e007179d810ef6946c7e7d34e46c62e5873

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0b39fad633b9789975898cd2613a7fd8

SHA1
5306c1415985778c41f07f5604e5bc61e9609391

SHA256
69f26e8b73b0acb19682d32695fd4bf545d1e48ed6273f29510cda941c87dd4f

SHA512
c23e3549830918ebf8c311d3e505df321c3a3be900a512ff043a652299febc2eae9a8f8926276755d51929469b26767f4bc007bc544c4f1b7f0d44c50d131030

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c2fe35a54d3f5ce72cc57bde43e721f9

SHA1
a24b8d066570031ee230ebd74983facc1df12d42

SHA256
3f7a822c20ced1354a9236da8f531d1b9051bae07cf368be3f72edb6825badd4

SHA512
4f8a4c03b0dde9b214e847b0a03af810d321d1b3999138c6d11a071165822f66e483559ce3d87d4042447cf061fb553e69e8a7a39218cfd5c3b8b454bc4590f7

Download Submit
memory/400-47-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/400-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/400-53-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/400-445-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-11-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/544-154-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/544-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/544-21-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/760-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/760-1-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/760-6-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/760-64-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1480-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1480-581-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1492-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1492-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-157-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1740-586-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1740-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2336-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2556-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2620-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2620-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-37-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2668-72-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2668-43-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2704-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2836-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2836-583-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3100-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3100-89-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3228-201-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3228-582-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3644-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3644-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3644-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3644-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3644-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3720-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3824-589-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3824-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3836-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3836-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3836-463-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3836-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4080-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4080-588-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4288-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5040-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5040-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5040-207-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5040-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download