0a1c56ed50e2500a355ac6b394f8342018ca931a7010b27c3a2590686919b0f4

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Size

1.8MB
MD5

1bbc8015bc30c4e9508bc92c84357be8
SHA1

bb16732899c8f09b0311ab7cdeef314af3b89acd
SHA256

0a1c56ed50e2500a355ac6b394f8342018ca931a7010b27c3a2590686919b0f4
SHA512

77ca74d05662667da0923142b3af665ee7cff31644ba92c6bbd0b2621be6459ec80fb23a00d6dee2f65f9e5e1876582aed311a2db8be171d1d25d2187786b720
SSDEEP

49152:SE19+ApwXk1QE1RzsEQPaxHNlkQ/qoLEw:393wXmoKNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4656	alg.exe
3752	DiagnosticsHub.StandardCollector.Service.exe
780	fxssvc.exe
4404	elevation_service.exe
2628	elevation_service.exe
2624	maintenanceservice.exe
3272	msdtc.exe
4472	OSE.EXE
1404	PerceptionSimulationService.exe
4152	perfhost.exe
2128	locator.exe
1832	SensorDataService.exe
2068	snmptrap.exe
4600	spectrum.exe
2912	ssh-agent.exe
2968	TieringEngineService.exe
4732	AgentService.exe
2784	vds.exe
4180	vssvc.exe
448	wbengine.exe
4352	WmiApSrv.exe
2640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\79ed9c1ad590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ddb09549cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f1424549cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1a719559cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d62918549cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a8012559cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000528b1a549cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efb040549cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe

pid	process
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeAuditPrivilege	780	fxssvc.exe
Token: SeRestorePrivilege	2968	TieringEngineService.exe
Token: SeManageVolumePrivilege	2968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4732	AgentService.exe
Token: SeBackupPrivilege	4180	vssvc.exe
Token: SeRestorePrivilege	4180	vssvc.exe
Token: SeAuditPrivilege	4180	vssvc.exe
Token: SeBackupPrivilege	448	wbengine.exe
Token: SeRestorePrivilege	448	wbengine.exe
Token: SeSecurityPrivilege	448	wbengine.exe
Token: 33	2640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeDebugPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeDebugPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeDebugPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeDebugPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeDebugPrivilege	4388	2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2640 wrote to memory of 960	2640	SearchIndexer.exe	SearchProtocolHost.exe
PID 2640 wrote to memory of 960	2640	SearchIndexer.exe	SearchProtocolHost.exe
PID 2640 wrote to memory of 1104	2640	SearchIndexer.exe	SearchFilterHost.exe
PID 2640 wrote to memory of 1104	2640	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_1bbc8015bc30c4e9508bc92c84357be8_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1832

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4392

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1efe2407c55a76872a5ec14edfa9d6fa

SHA1
be20283257b6fdd3e70df685c6954c81d053b6ca

SHA256
396c655da19960c09512af8c8aeb90ed12e234f08af71fdd0d6f3243926fefcb

SHA512
f0b486306b5d44271d141426156ba65b9ac0b15344def44a062344712d9d3ba631a568e99932f56619045d58eeb48795cb88599cbdda1cfb955cf63c5a852367

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0db743dcb43e09b441918600c423fec5

SHA1
d2fb7cfc1cd89587b9f04deee6eb933295c97990

SHA256
6c50465a755078d81e26cc23f17fa148cbce49c4dd251c6e5809c8714c4fb8c5

SHA512
c8236237337c4a7df91761ba1d564b2249135d81f87790bfd16290d364762c93a7d80a1c29c2ca22bff94da8cf751b9d74aa77161535314cb6b3bf4c3e930adf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
83cb5d131ee12fae96fa59febc0cf2aa

SHA1
33e4c7ce34b0b850a700277813344c8cf19ba515

SHA256
1332c50d29c74af819f98bc34360f11348bcdee4a0d453691c231a3fb12f7668

SHA512
b2138276d6f9ff4ee72b43dcf21d05d422c8e09abc5c3f297231cfd3abfb3172354e61bc18640db2e0b90485057414c17e7d0e49c2480e66636103e50b94feac

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6729588896d1edcaf2fc75e9c60db436

SHA1
ac4b4ee5e1ee1a3c2b6d24aff679a0adca4360cc

SHA256
47b69b124d2bda792b1f7ed9b9298eeaece1e3c59b6dfe381336bc1aaf0fd0cb

SHA512
9cfdfedf6c6fab052aba74d812797a797c4089b53a45f608537b4c4feb46b63b617cb974b019ffceb764bfb69b34a9bffe84e3b30ee3e45e04244a1125c8ae22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d0d040741c6b23b0434755411efa84e0

SHA1
8f418d353450cfdbcd45facc2a47aa6b5339c210

SHA256
690b1a8ff6106f3d0f7b7afec37a40be1888d9591378c43868eac0b216072045

SHA512
fadf82cb60bd69e17ab259245c32814ec38151f547bf53205d29978d71be599fd42313ef2914889da8d4f95281fa96d744591dbc27f75248b2e4d9a9c869fa61

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9159c42d2942931385f446c4c9920ca1

SHA1
4f8340aa8207b5b15acd321cb803d681ff9a5360

SHA256
f51fbdf72cd0232c0959d1c795d374ab019a3d5f67e6111ad9dace268d3e9c07

SHA512
836733013d186b33ed5b0d73da0c62c2f9772dbba287f4e3a8cefb8ebce1731dc91815bc1666118e85a770ec84769231bb55016007f0406fb8b8d3177233ccc8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f74b1d1703877f28e1593cc10a5ca07d

SHA1
8dce3857d04f9f4dbbe687133f7c5611fd7b0b15

SHA256
83bd57a0fed640aa5eae0d747fd64dfa80fae5072f25d412284074c1f438a5af

SHA512
dd08ce2a694c4673c9fe0bce34f36fc94f614edb0fa069abeb10d60890ea24f34f8bfaf839860c96eae1d36addb817187f92f2b2293d6be799d08f911d46a012

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c0b481b6a226cfc3162dc5590629e7f2

SHA1
fed4b29497d721336fd258d8b948a99286ad4814

SHA256
9aad3caea8a6dd7fce895c369e9124ee4168d86c97f3c639aa4487930f226bd6

SHA512
19d5c807004f8cde9cb228dca03bbb3890d20d28971e763ef2a42f9b12c8c5e9ebe35a0ff5575ea40f3ee156cddd6da19f238945d803594b9fd5a5ca8eaccebe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ca77bcdb4643307f83b20babb1de01c2

SHA1
c06f7429e766a41b9ab51aef1f1b37d5115b1e7a

SHA256
732dc22940119153d759bfe6ffce073474ed7daa51dae9594f4a31e8f06b7b48

SHA512
c42edfdb75a120f46099cc4204ebda24130d3e6f422ee95837a8f834bcf91091ed85774da3e5d31c251e6e5f5acf2aff1963455e04e6d06f12928de746efae73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
74a598ecc5fdddbb7c8f3fc111c59369

SHA1
5d43c7277897483b6021e64cef9652f283de1ffc

SHA256
3edcc758b23560d50c96cc5e091b4d75819a4f21abce0e809026b67233e69c5f

SHA512
a425e2a6c6ec2b81e7fd8de46f2c1984afadedab1404b50c197f345722eaafdb6e73fe6d130b842d05ea44ff11e5a4555881b1a91b165682107747a7c21f563e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
35cd8e44034cd496fcefef642c91fcaf

SHA1
cb92c42926361b044677488ea3563f64519ef037

SHA256
615f50e6f075eca98f66bb6cbbd6236e0de516f550b0c806d9d2c1d274a9a814

SHA512
24fd8c2ca24c3157c27403a38d863c230d1b6ed4d047de9bf64c127378856fe87ad1771808f8c952bf6fe718a9aa07aae414b982c8d363f76e3f57c7c3e2da54

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
75275a960c537d3c00e44fc7fce06c2c

SHA1
0bbcc54e7fcf83dd93c98fe49082c59f8f61f91d

SHA256
514e313e3a41a5a79787a563ac637a343c6899269829c10d36fbcf9aeddff51b

SHA512
abae09911bb67bda46e3c7e2adfdd29ca0fd162e3df69825f4ebf2432f427eead45946ccc64737f5636e1b48342f4a5be0fb972f5d8476c18133b2996442c3cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ff65b609b562eca2903b3678c350dee4

SHA1
1dde26d7f7d55c8fe08b21ea90e991a3f4b6fbeb

SHA256
013c554eca69b24d310889272358b90fdcd6da2e9795966c169ac85c27b52e7a

SHA512
bcc310fecdd51696c7e2d47e096798a8655e7c85808fbf7080cddb0d05fe625a20666f8652f37a6a008eb7178614ca4858df38d46a50bbab74a7babf2d1a2a14

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9188286e8cd9f7339a827b8bf26ce148

SHA1
9652c76199f3c237964c0b9961a405b9c7f70acc

SHA256
e61afe876164c83f095125756ea2cf85e8329c5562b502ae235d1a86f65d199f

SHA512
7ff20a24d3c254b4c934a3a2c2a12e9797524a5642b705486952fc8f831b348bdec343f04c7ae90fbee62d5968c8321880dd09c815df0ef9030c0eeb0d968199

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c48aea81ec61c38abae9b23ea8ff0688

SHA1
08101f0030e8f36f9d3da068e588213c1a82e2ed

SHA256
80bd5efdade72b4b2099c4b71f1b4c4c5961ab6178428d3054fffbb3037cdfa5

SHA512
2f0eaa909943bdd232b810423e8922b5681849230f2a58463519f2a1bc1c5255f5c9e3ff9bb1446ca237a5b09b02285e5e44dc9b0257851beb1da1cb84127f4d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9d6a23eb6ba79031dc4a12c59ab0954c

SHA1
a2030ec42d2d76249a824b56c8b1f64aa1076317

SHA256
839382847661506a16e42055f31ad64f29f9b9d4232d1cfdb7c113992d3d347b

SHA512
1fb4e154b38aff9a8dbc6bc087e862eaf9e6e6a94f4aef5d16e46c7e27b2fc0db2110af73ff47daa135f14259e29eaac2f4380f54e4c636582bfc195815af6df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5870ac5c8bdca065a25437f8fc68c1e5

SHA1
8afff2233c9a28e87e5ed668e2520b5625451e80

SHA256
41de6f4371faa4b5c682668ffd5b5092206b3d02721a1b8748d512288df6bf7f

SHA512
51b76fead2dc6361ecf4dae139418ebb1c3842a384e1ffd61d608c2b38ea4fdd455738036fc7d625ee912aa57d8a01416d37f1ca63b57fb4c2beaf318e17b849

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f783badab3eb3440131bcf653d3b7540

SHA1
53e4345d565fbfa6189d3e0c7421e60ba9429731

SHA256
734e96aab4a37b13a5432bf6576c1ca9003d24e6a9dc24de45f41f74f4a0496c

SHA512
b04e55918e3157c4419a1aa40d272764a14fe6d1a61844f7d13ad0d3b2afba28bb70240ac94e60da17d597251c84f0990be632ff596c74a4e356d4d5a704e1f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7f4733f39b85a057de42c9a9833e172c

SHA1
2fea03b764b87cd1296db5e2cd12026f3ad61fcb

SHA256
5c0ac50a42397e27954e07ca951332431a583c0dee44c4b2df7c43aa13f53698

SHA512
5d39504e8d3d621b7800e7335b156e0414fbd8b2daaa5c591d687f2b7de1b82dc5edf6422f790b0af2b1facce9a5b2bd562dbfc4d8c1515d2496cd834e43bb80

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2c39af6325b3ab01680d056dffd1df33

SHA1
377abe19ef170d8db76b7948a894854c3448cef7

SHA256
ed2403e8f732c2ebebc39fef30f47ee03ceca5e74205ad128f21e08fbfca28d6

SHA512
5a2592b02b3bc4069b897702562fbeb68d47730d2a9397a18ce30f4cd64bb6aee50d323be387af427f2dba3b941520f8cf2bda6891bd5c257f7316671c501c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
5c8795623745345e4c81a216b10f9887

SHA1
58c91b08adbc9348b1790adffa3fd7f0dbbb7c03

SHA256
26022dc44e8a6198e617babde695c126ebbc044ea434dcdb021fb7de9d69c1e6

SHA512
f7d903d0f03b48f81147c88bd75595f1432fe064c53a8769be96c620f02086c2a91c6f1b1aaad3897638a6cf62d8bbbd8d4bc99556f15638f5548574a117f758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
53c27373814c40e46d2b6b0f611bacfd

SHA1
5aff62122b4a5c4a6335e3cd2fb778370f512dc6

SHA256
22c2fd88935d504616d88fd34afbeaf6bc9d795c7ee5e8497eb127e2ed292050

SHA512
dcadb3a7d7bfd4781bbaa05045a3f26a8b612e98995b8c58f007dae13cbf7a90a8c66c77c4ec7be11c27c9f0145b96a963deaa34f84963b2f405442f824e22a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b935468c37e449f38cb7b12f9b56101c

SHA1
812a6b19df2d487eb129b4db807f38230cc28be7

SHA256
0748c28993789b8907f24bbf9593b17c3ac5009d3768cb4eca43440eaeb3aa88

SHA512
744a4b4a3cedb8bc7d8fdaa8ce9ea5307f7a4232acfb74cf2cc3eb39ab3ee898eaecf815228e2c4767e95e96f5a970de84b69ffb0fa97942cbe75ccf8a94ce50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
aee741f46c10b7ebd37a2393eadc0127

SHA1
347ac385508bc99846b4ce8b12b13dee8b268051

SHA256
939ddd8de4e490343b93478d6affc8e13d0f65961a97ff646901eb7d88bd95d8

SHA512
41cbb8542aba8dd57ad55a8a563ec61e6fe9e053e2c3e10f95dabc63677a2b207be187041ef39a6c204334a36d0db273feb6d444116a1c6c75c7dff3416f1250

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
01842c59e94a9acc7f769263555a675f

SHA1
f8fcaa12f215c5439dc3fe07e77b4d2986f8aebd

SHA256
e385d8c447c7ed9f3e2bc8fad5f941a224eb8d07b388e5b3e1f8cb1b5d6268a6

SHA512
c4efdd82c032f2a6494bcde3cee4520af61e9b0c741ea527a8f2b8e809968c40ec06908aa6af6efce86d9523cd90eae00815853dd23c7551e5a162471624c0ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
71ffe198256f28ef01c2af551f89a758

SHA1
3a37a319366f8ed659cb03c9675a5ee93c11ad7c

SHA256
727ebc53350cbb0f37854e8b74d1f0b7d8eb2c38c8e522d7f96af4f6a012d2a3

SHA512
91c060e698f4ef174ea898dc0b352f48967c619457b195c51ada214b11743d5cbc6ffeca2acba5077601a35267ec4a6d72d26f340857e3c99c22111e23195dd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b8f2891826bb78e596669f58adb9b3b9

SHA1
53da2d20a3db8acdf3fbf690b11da20e366aea48

SHA256
1095aca760759e62c9bc3a792bd2cc334f8ccd8a4bf318d9b532cde96110045c

SHA512
b75fd407b312bfb3f5f3bd7c7616c3607ab5d6d7415483725a37ca2756e7ee3d577824c433c82a801116c1b61a3f7b019ca56674bf1584cef55db8b88cabd209

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4f5157688c7fa7823cb9f3a29c6766f7

SHA1
71de6b947fffbf79875b58e3cae1ec1c3faebf7d

SHA256
f2f895bc9d95a26a2520f4cb747e78799c313b74ceb73cceb73642b0f077b47e

SHA512
55f2b647e9ef1963333628794699816c936d0062534b5462d2a108d32cc7bd434e39a3cca3eefcaf6b70fc9fe4a9a05bbcd76c7e038d309b229ec89535d07118

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
681ae505c5202917cec52a3b5cdba709

SHA1
201b91233bb37a7a594943ff2499a1e98892b44d

SHA256
db37138037cbe38f51578ea9793365ac935252340bcf61f4760fb27debd8026d

SHA512
56ae527cc155e94ac59c6b2f218977ec46c16be99da6e14e9203d8d6b05ee8501839fda1eb10b3b20626d0ae1426d6fdf2a7042789a843140900850ef952a023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
45d6e1b83211ad0adadda78d74791296

SHA1
365d296e86f927902f28480eee1f16b58e882714

SHA256
cec80ac0722ee13913a58b583c1534db5c162eeb1538e7fca23d5be5905e7560

SHA512
7ea31ac8cd7f23210b39079e7c5a282c08ddfb2427642e6db0e9d556930b4c9954fc0c5d3fe1bdbe3e774961992584caac8d30276ceaa4c8f4d2d7853dc2926e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2433f978e43b5a1150cf9ca4464ad484

SHA1
bcce38727615de9da6f5054503563733e5304ae4

SHA256
1cae2afc0994757e464e51f1a42e5f66ae49c3e6e79b0242e7af497d52b80a7d

SHA512
aad4d9a04e18086c2851bdcf84ead6a8df4ca1c2026c0e20f5f18646cad27b6b1b8e90186fdc42fa719d58a56113a1d5b8712c31fbb995781d25535c5aaa629e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
31bc7aaff0b8931648dadbe5b6f6ed07

SHA1
64bae3aecbf5fc162203607a2d7f1ab7d414a0f7

SHA256
33c12c8a63d3ce70ddcc44253eb72218eb5cd6ad11295414155f7b6ccbf9e338

SHA512
a0f924ad180181e643a6de57223f79c316c55c396410afa753aca8173fd087d5d12ec23f9e46bddcf9b27640c48b3d791344191060dbcace6a04898985a11e9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9bef03fb763050b58e3f82b6a6621ea3

SHA1
be256b2f58868e1fd366b634617beddcd3f4c875

SHA256
a4f4c2b42656b85714490abf8237734d1120229fa1507bd5b0f34cef3627247c

SHA512
ee5ee8b8edb803c2b8f7814be1c12ed9b8f689ed73da8b4fe3efd0c64f95fb169edf00dfa14043f738458b63041f414246696af77671e33a911abff42c1731a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
74fb2e76ff60d9da1739376f17ce69fe

SHA1
dd95b2c00596a133c8513fa7b8032810f860c7b1

SHA256
ef88522952bd78fe092fa505363c95ef731bd552f6b46037c4ab9228f5f0a88b

SHA512
1f41301fbb2f51dc984968e6d015db5eb1a55593bbe34684c70542c8e27ace97183b4ebb78adc8c822853c32168229b1edcf8c073f83b85d208c7e1805a0fe90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
770107f0da70d8aa618a65a6155c4e2f

SHA1
68a7f2eaef4a1c4b20d5ee61a09af58ea9e57f91

SHA256
dd7df1621e0df9c51dafa68cceafd94bffd6ba04137218faf01aa266ae271700

SHA512
78081cc2ce90fa4588ab7da6c23a885d3ff8d7aa166846e9d159c5059b54dda91b0aebd8e69ea5d7e1e726ebb80e2e5741102bffa73ad7a45fe89f5a944cad86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
65bcfaea8de22936db7ec9cd20af934c

SHA1
fc6ddb4a011b4d05161b52256c96ddbcd6de5a55

SHA256
e68da6b90a245142bd76f239d343fbd59bce2651388e9367efe3e5d56e053efd

SHA512
2d598712e3cec899b5011b3d1594ef527ed532eba255fefff46156dccfb2d0efa42e18d1bc738ecf4f80b6295e6163a76b410ccb878b6b7f38b7a0c37e6aae35

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f9ed5b88b74b65f8777de3cce2dbfba3

SHA1
9cbf29b65f30568a91488f9f665d50d9c94f471d

SHA256
f5057cc19f151fd63dfafe6122bf9a48cff3e6c62834a892b68d3dea912398c6

SHA512
36f4cd7d3e76362518f851d9626e02a8eba9bbda991800e6220435690e50ce6094df08d3707993fa7d29829cc5c9ee4879a4b27b67618d9d618540c020461aca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b11388ea6f1e3177181b0e8c91754839

SHA1
ba8db5957bc7e6050a30a97cb782f557a6a2c084

SHA256
f81e4677635264c40b9e802a75037a879e451d55ffbfb9aa0d53ec8d3dd49d8a

SHA512
963178297253fa1ecc02fba9dbc48aa4949447cdd32c3f2903202ff21e0dd6255d3212a78840c02a1faf2f71e04ea1af711ff802adf5c4e35d811074ecc3ddc6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d2f4fe4e55755fbb608f4610467efd70

SHA1
46fb18d08c860ad174ea0a38e5f4d53ec8df7e0c

SHA256
8fada4f584b7fefea27a8f0874c2953d8bcf46050512f1cd091cf13fd47d4007

SHA512
0846e95424d6b21149dc5f3f59028b28deedb1dcb0559f1323edbeca48efc64c17d317ab77d757141ac770c9180d7621343c089625e6a4458bb02e6de4697f76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
594b21a31649c8c0a8bbe81e46481e22

SHA1
a0ad842b9fbec057227d8d6204be81f83b468c37

SHA256
fa7d93fb58f9f696ac2d914d675b8ac4cd0f761d5b29198920085f2a0419d084

SHA512
fb94f567bc635b97aa03e549f19a2b317370ae50ce02c0c87181994282887ff11d388e85e7c766efde4a4deaa1c3dd9ee202f0c673fd63884af6506c70e35ca6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fbc5d397566813577a0c2117bd785653

SHA1
ded4a509ed926fa9eb578bcae4a37e44c016d82d

SHA256
249355738076e3c158586280f2fe041b042cb5875dbae4d958a7bc62c259c419

SHA512
b81fccf21ccf7a62238a89696369ba5d02297001617bc4a9e5a22133103eb7c1701293d617d72fa383b331967d496a75de837cea854c4d6233bfedc713cf0b13

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c23b8795889ca225a457a199282513bb

SHA1
5b73a54cb6aacf65d6d19aac934132c2d90d3dbb

SHA256
bc1b7ced5070ad43035802ebe2db5d917a55e6b40736a519f5869f1184b55e7d

SHA512
0fb4f75793e8ef55e7621de01e41da87ed9d8b20f98fde8e119da6b45515be974c9ba5aa8966f0555099700a78796db570c010dfe85a0e4a8a290290decfad8a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5b0a0a613c735961cad1ffd82a90ec37

SHA1
155392f4606839b698154e0779c1b632ca239f8d

SHA256
a357e554805adeaeb2e2969c9edbf9d08cf648d9b2da8c92b8ad3054faf05d0c

SHA512
6c4ffce4d64ff658422267efbfb0b7f3ac15817d50c87b64d489445f0fe9643d9fc8f5c2cdec514d34ef8eeb721f000b70ca2b1b06cce682a5de15d0aa2b5d86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ff31a8cb185927d932ce9a2dd1dcb99f

SHA1
1ce63b25e0c4f860f3f8116dd682647a3f9044a8

SHA256
8bfa780c1e95d1d12652900411eedeeaf971134c0435d6440c52b51d32baa656

SHA512
22572c1d0163c3ba83c6de6ec8bd3b170f6e82047f35380ad2b3d59f54648c19a7526a3f2a3652c4fd2d41e1b73ce3a3988e55d9f1658069f31d0f826395fafb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e7b61aba75a3174493567672d082e0b8

SHA1
604c5e395f61b75540e21a4e63b5f085b18d5e42

SHA256
0a3066d30d43a369b668d4f0aa00c5a5c48f9975caa3d3643e3aa8674f15c88c

SHA512
440dd7dfaef2743299bb73e015483f407fa21f304c8d7656d95a58e93956f8c5f7756c0a0a3616cb30372982408098ab9c12b67b2b9dfb16531025a1aea0ded1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
51f3f983da55afa38c57455b43d12c86

SHA1
d741de6d7b1141f4cae1955c4ba22ee5e958b664

SHA256
f0db35d2bbbfe0a326c6eb1494f10ff2467c9a217897a523ff2df983ef418cae

SHA512
2fcba66a75a9a30b71d075406498de22b1f3759d670da72ace16345a7a5fb472e716654e20e7f6ec6db0b3c2b16bb9d4647775c43b69d3fce14fcede5e3692b9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
809002f6bb6c701b3d314c16e140d111

SHA1
9969a5a2931efbec1849f84dcded42e8ae5dc154

SHA256
17013e18000c1eca4a8dc7ea4ec605ce78863fee4240b77eb9c6ca216fe10588

SHA512
6cc52e8a9080e87464f85f07ebea33204ee3c282e7808bf55d9a101e72831588553e6551a8d49da6ce16833598dc863f975b64ac0e02396cc600ab943d2f347e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
63c5e6ab51ece41ae2b1e8fac9c0bb0d

SHA1
918f9f6b902b9d56c12e057b838e03f4a1155874

SHA256
ceb33f30f067d262ab9479129f29aa174d6fd0bb2a5920859e9dc93c26a79560

SHA512
a2b67a91905cd310d5cda504d3c22308dba535250fbc42f0012f054c3988c16f20122a6b156a19ee58a6934167a73da24fc082a4ec5b750a50b3e4efc9fe003a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ce2e4de23cd9ddc8fe9957b15e1aa0e8

SHA1
9c7f6c1af10794e96933b22f51057342cd1968f1

SHA256
69aaf6e34089b756733f316186111865bfb6fce9ff4aa93d436068730eb4033c

SHA512
3bf521eebe0728866215faf6a5f400d70daceb93b630c0b68327cb429d2b46bca64f9595feaf4e3cae0a0533f192f4eff6862da480623dce8b58b13cb5fb2c58

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dbe35529306f5f873d3219f814545f63

SHA1
cdef4d1e2fcc748c7ebacbf5f3100c0349955169

SHA256
4e4be2ccfbbcab38961f8d1e749abab3a29bce4411455a19d067bb2fa6e026ec

SHA512
d3662ad8e5d4d894d02c2c0cc8591fb86fde1552de7a523eedc6e3ca248afa925f356b1298e3a2a7bdd9c6c5eb27471caca8a42c929bf9bc1cbeab49a20f1314

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ab56b071bc509712187d63b1bf1d38f7

SHA1
b3edb9f6f1f58959e6553e801beab5ad982c9185

SHA256
a0b713a81ed4f5e2c49a44e961b6e5a8359521491468a86bd7e9dc847987b719

SHA512
a6774f951955a84743816b28ef2b34e55f4688ae5eaf3113171158d7eeee76d5eafa5b4c68162e39f85cc716a4cff15358ed6eb761dd5ab60f9ec469c31a100a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
779df4b8768d778e19742ba6f4a37002

SHA1
da31ed2dc55e67f8c372f8f612395cad5333a4c3

SHA256
b3cfc8149fa07f47fd0182f5bbf9412ab3ef31c5bbc88839958b8e04fc4530e3

SHA512
3f68e13caa044ff96d83cf392b3b0a4e491633082636bbfba2f4674ade1e659076741b5eb7de01dd3bdb90699b32945d4eb1838da046ffd723c85b0559e7bdc5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ccf67c06b52993207dff44ce9587fcb1

SHA1
9eabf8bd2c4bd11500526cdc864a3d212438b988

SHA256
e4e7bd5d1c5a5765b6b8604813dc09b8eb0db1bafff8d5200adbd8ee4765b70e

SHA512
63677c3d18a3c1474b1651f84598760505e4fd67399ce0902d79919385da1c574fef5c5087d365a6ef15e4ad91a98b51e60254a68f7e898e8701a6dab0da7050

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f94b8b2c85a95cad7b0ed4c7da44936e

SHA1
51404ca1565a93249e466d9d9134dbf077e8f588

SHA256
476c6df33d2e530afe270cd7be727324edc1bccc2c2591207d6250f4ffd5fa43

SHA512
56fb8ed65ee5023dd93375f043a64c84a611f3eb7ae213437f14f0fed269ef7e7b6016fb9b92966232da849b65a7192ca06c849f5fe4f79dd3d5ef0dbb6dff38

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b8985a86586e8674620c8cbfe8dc9ebc

SHA1
19c36c9c8f95740c74c2e9a96c7f719b4fd412c3

SHA256
80392f2737166f19bf4b6d770f6dfe9911da3c282b2c856668626c275503207c

SHA512
7f12bf10294b47cf0ede4fa5259334c29e8f3e32b2a3eb4f6a677882b2950a71e5480f01242891ae3a766877158c7da469d541a00088b569e359cee3512f8dc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7e1a58d3f62875c2d1fa231c9bb59078

SHA1
ae00709ccbd14529872f5e7b76d008c8a0c57d15

SHA256
930280b90b06cb699f08927bc5e890070f608fd678f77b0f989da18277bbb068

SHA512
379b6a36842e68274a4f509694c14252e11b503ff97055af3f7283d1cef2fcb0f25139f7d5c8330957df4cc2c4b35a2c445cc9fed6fc5aa55da3f74915c1d320

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2b88e3567e4387e843af9db6ea0260d6

SHA1
d3f51f57e23b8cb26fa4ec7cdd85cca606adf8fc

SHA256
99256fd85b1cb09b9b3dbe43fd3b9aba88fa5d441da94adefa9882406f53c82d

SHA512
dacac57f5b55723cc30e351feaf513fd87a9e2132d79c16187856440d8571f2b26436a5daad835e2a125f8a27472a8bdf0c81edf8071f944ce243bd2cb549098

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6187da7031fefbb9c6d7aaaf8faece32

SHA1
60e9b82e3aec1a3288613ffedd4ae8e5f87902b6

SHA256
67f05ce761cf41d6339dbd8baffc0d243c4be912f4cb7a4176229c135458816e

SHA512
251df41b44a1ad7f157b31eee0ee59bf6ae54d37f4daa40a31e2f267ab18160c9975a9d78501476e2f121405adf09c0d9f5e946e882f31ca37bf2d65b2a15aa4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5d5db2b3b1a0129712a19ca43df8d5c8

SHA1
334b01e11da2530829b8f6d6577fdd2f14c2a7fc

SHA256
9fd1d6362e1685d780d5c52c1116341859d8b92617dc2b3ee5c7914d0ee29dc1

SHA512
5ac12cb197ca95a2eac9c607416e23178e4062296ad7d73b5688b471c09d9818b47bcdcb6e9bc524348fb01bd8f9d8271e2fc6b1d9ac7ea6bdf862f0f8baa516

Download Submit
memory/448-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/448-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/780-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/780-70-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/780-45-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/780-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/780-37-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1404-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1404-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1832-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1832-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1832-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2068-470-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2068-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2128-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2128-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2624-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2624-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2624-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2624-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2624-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2628-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2628-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2628-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2640-605-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2784-598-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2784-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2912-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2912-592-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2968-596-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2968-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3272-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3272-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3752-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3752-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3752-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3752-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4152-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4152-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4180-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4180-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4352-604-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4352-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4388-74-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4388-6-0x0000000002330000-0x0000000002396000-memory.dmp

Filesize
408KB

Download
memory/4388-1-0x0000000002330000-0x0000000002396000-memory.dmp

Filesize
408KB

Download
memory/4388-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4404-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4404-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4404-54-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4404-48-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4472-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4600-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4600-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4656-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4656-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4656-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4732-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4732-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download