80332a4f6136be6494f88fb3b58c81fae78d9f560448a098cfb6442de7b65da5

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Size

712KB
MD5

f820b64433379bf7d7a248a98682e7b2
SHA1

6163ee179fa5d201fe85879de2c73a779eec22ef
SHA256

80332a4f6136be6494f88fb3b58c81fae78d9f560448a098cfb6442de7b65da5
SHA512

16da2a047ae546822f0205be23852d95c2f5bf646fcbcfbe0b2601835e5f33b6d3b5cd1a1ae3543fb45e59bc058babf08c8208159c0e7765eafedce716e7c4f7
SSDEEP

12288:EtOw6BaDqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:a6BBZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
932	alg.exe
4084	DiagnosticsHub.StandardCollector.Service.exe
1868	fxssvc.exe
4324	elevation_service.exe
5076	elevation_service.exe
4164	maintenanceservice.exe
2136	msdtc.exe
2836	OSE.EXE
4988	PerceptionSimulationService.exe
1116	perfhost.exe
4620	locator.exe
4316	SensorDataService.exe
4564	snmptrap.exe
4480	spectrum.exe
4276	ssh-agent.exe
1992	TieringEngineService.exe
3056	AgentService.exe
4608	vds.exe
2256	vssvc.exe
3836	wbengine.exe
4132	WmiApSrv.exe
1796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\113f3db9293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dbab7fe89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000193f1eff89acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae2e8f789acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031f874fe89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a29cf6fd89acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001df10fff89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd6706ff89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085e2befe89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e9a15fe89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f80bcfe89acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe

pid	process
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeAuditPrivilege	1868	fxssvc.exe
Token: SeRestorePrivilege	1992	TieringEngineService.exe
Token: SeManageVolumePrivilege	1992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3056	AgentService.exe
Token: SeBackupPrivilege	2256	vssvc.exe
Token: SeRestorePrivilege	2256	vssvc.exe
Token: SeAuditPrivilege	2256	vssvc.exe
Token: SeBackupPrivilege	3836	wbengine.exe
Token: SeRestorePrivilege	3836	wbengine.exe
Token: SeSecurityPrivilege	3836	wbengine.exe
Token: 33	1796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1796	SearchIndexer.exe
Token: SeDebugPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeDebugPrivilege	3036	2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
Token: SeDebugPrivilege	932	alg.exe
Token: SeDebugPrivilege	932	alg.exe
Token: SeDebugPrivilege	932	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1796 wrote to memory of 5048	1796	SearchIndexer.exe	SearchProtocolHost.exe
PID 1796 wrote to memory of 5048	1796	SearchIndexer.exe	SearchProtocolHost.exe
PID 1796 wrote to memory of 3724	1796	SearchIndexer.exe	SearchFilterHost.exe
PID 1796 wrote to memory of 3724	1796	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f820b64433379bf7d7a248a98682e7b2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e8374586405f31130af2690965edd7e

SHA1
097bb977f05227c7c20c17d7a9904c323b4a7ae2

SHA256
670e8a142e3da8da5a62b6b58cb0f7191413f3ba1619bdd1c4106d15296d5cad

SHA512
5757a3eab34d02f787cf2fbb0bc7979811c9b154245df795b0c0343ff7cbe0cda4d2ad06d835e15904f30e9a4cae607f8396c4ac8c1e80bbca0463b0a458a3f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
76bf6c251bfbc6774a688cf18d4f16a2

SHA1
8dd0c45e30109c86eeadf3b724ab92e7b569fe84

SHA256
3ec602b0103779f14870fd787f86418c0f91a63d72908e9e8378011ef4421821

SHA512
3c97d38a4bd0d59732767c505aabe19624aebe9ed5b5a16b4c384162d6e8cdf8f932e3647547b236cbe8d45c703d3c80cd2fecde4dc3d93b88dbac409ab99d35

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e6db096ac50c0a227cb3d0fbfddaf326

SHA1
5862baf75d297614fc3f69718659a788990c45ef

SHA256
cefd1246f36d5f73dc07311aed38f719c3dd3dbdbf54e34856fd230debd0638a

SHA512
e159d364c5a575f9c0ace20c41f19acb39859ae4a4967aaa9233bd593d73f77c4e20c29a08c352fe910e8aa750e5bcdd3786a5f2e5d9b07e815b5b8c117f0e02

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4e2aad4901369939202699d78ff7ec2a

SHA1
150198a18e59d3b6cab43f44010425eba20ab5cc

SHA256
93d21f8ebe2eca1e4866220daffc29d454bacd7e245f87bdf9d5e7b266ef016d

SHA512
8ad5fe55456665dae264621fb9e592726c09fa89d66ae488344779c4169e87b4a2102e82c798070b47305fc12989b3f7bbeba7926fc028345e6348da5f766d2d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
08606183f4d2aa91f08a8f1a9868a93b

SHA1
eb720ccca67aba74a541fdd9630674969d87a512

SHA256
7b1b18a019d276fc05b921ed70b1218f31b87225f471f8bf6926d6c39c51895f

SHA512
afb106b537e1776b747aa0e9117ddf332b2e6da8f47dd52f46ea72a9041bb1d6ce65bd11ffdb654d38bfb7615c9a375ddbc099b0d7fed14a8e97cface8a7d0bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2238e2a7a97bf578a913e0ccb5a10488

SHA1
66b18ced0cbacf903db39191cf9ffa08ff9c6a2e

SHA256
a17a055ac4de5b78473b72932a52ffc4b3af23c5b53f48bd934f6627db70ee29

SHA512
00b141e84611b81645cb5158a187f7a93638c9b1d18df235627b01ace0e312231f7a9428127f617d2a93c0d67d9ae95b6ea8d4f33d7deed9327c0e2a8de88458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f623cd17b4e306212c9ec53c337dc558

SHA1
e93bf123d123d4004c4897420244c65aa8a2e646

SHA256
b3d034de87ed62a37144bf8f0c1832ea385c7757d064636722c10b5aaef2144e

SHA512
612dd865e935f92a21419e8c207cec0b574b9fb0762d1abd026ea3a4dacac81a32f55859aaf308f2dc85981a5bafaa1d12c28df138fb4ccf5fff0410082926b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9a3008f431f9d1b26b1e24db5b802b0e

SHA1
2eaa768be0142acf783c0b13a685bb5183276c73

SHA256
4f939d05ec67617a4327c471a79c3d1ebcd61ab9ff28e974853de1880d720b58

SHA512
df34681b789882b1d74e955f9b0c0c8e49c8e19ff807f9092aff513cc2b74de603f026b7796debfc0ad777952c16c0c9bc8f1b863504f89916561976eaa32bc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5d8c9371e91cf328748a0cab58e5d391

SHA1
66ad107acd1f5f2433f8b52e5f2b5df677818c7c

SHA256
64c51efef6847c6471589301724dfb50065a6bd16e8a1da19cbbcf92df2ad0cb

SHA512
1084fb961e258d217c943b38ae9ad29cd84f473296b17b68186b80052dce163189ba151d11815eeeea9aa48408c199b70934ad265981a4f956bcc546b03b3246

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a4f9948e9265f9f98b536d638281a56c

SHA1
4edddc61a59967b01e322dfd0e6a63947223b0c1

SHA256
672ffa3c4ab26b677cfd8e6b40f57fedc705d169d7039e9041fba126123a00a3

SHA512
969f7f2b5ab6acede69fdf1c0f40011da21152035d17c7e658619b31bc1e24c5908809c63a43afa39dfbf9ea0b701e1a0e005a68602c8664cb3c1da13df73839

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b083324fc0253097eeb397dedf55f3ea

SHA1
faddea603369c30a5fdd7a984d8c491873380e17

SHA256
e49317ec3098598fa1a09b5f45dea4e4bff2bed3ea54edae8f70f9d019414b05

SHA512
6b9e68a30cb97d5ffa9385974a6badf99faee930cb9196924bb58fead615a291caacfe791cd422dd58fea6d341f85de328d088c62127df6581c93686781a62b0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
946e6c484c803a324832239f51267cbe

SHA1
1382ca971e73272ef7d393b0a49373dc33d07258

SHA256
eeb68993c8c95ed8fe913181b0b58acb1951f9e7e961c79a07fae216ed1e6219

SHA512
0639a2f3c2f7fc3d0528190e90158fcd717403887018632c32460fecb0f08fd753ee0932275ca14679507b84686bd9bf467f1a075730a04c7f0d61791dae640a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
86a68e09cd0a082872c3ff92b1f3830d

SHA1
cae7f154183b098abde7b0095c49ddb9448f1a91

SHA256
978cea6004cf00dd62f4ee1e517a22859221588bcc0479c791b6a450216819bc

SHA512
18761db9f3140d9bb15108148e1b407743f317cc7ecea1087141927b179cf1ea58a99f165011a9ce2d6b1ef1081fdd740106a350bed32dda2c886428afe5e35e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
aab805ec8bb5d2d58c143c04da980fcb

SHA1
9f6e7f5401472c9bbc08f3d20faaf21ea00b76ad

SHA256
c194acb4b33764ed545d77e4f33b4a74514c2bb90797478659c2ad4f31476819

SHA512
4a493fc57e487eb9fc0d7bdb23677035b2befb1cd51744a8350a4a423b1614c2fd79ad7b516826051ac9c803085e52d046a7cb3a145520cde8208fd4fa79c1a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0cfac3f5efde0a62e0c7ab076b085a0f

SHA1
e00960f10f6fc80454affb85ccce57e75091f2ca

SHA256
c2f2bb963a0121a97b939493af6807e2eb6edfffa0a9e38cc8d0877f6e940551

SHA512
7ba2185cd54a922501ab62efeaa53cd42628141d208490d6f67324335c250f89e1a4b7cc12e4d18a038cdf9d06c7ba759cbb5394c4103cf14660bf4ca24a416d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7244d58a84903516476da4a5d503000f

SHA1
a0069832698f2f57db1964df732424233e79b492

SHA256
c9f7fffc7a131c5f821274f7dece3d94bdcd6fb2db91cf5c8e63c1189012c6bf

SHA512
f56150ba43aab16cbf11009a8a35c6a2aeada57f5625d562aebb2334c964dc81894f499b7a8c60f3793567440791035a4c8160f7f08f55f7599cd2dc9ebd39ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ccabcd1b1aeb99177ea443cba6749c7f

SHA1
8e1b5b8a84aca881cbc4856f58722ef0fd4ca71e

SHA256
ba89bcabe7cd180dfe48ee0dacce5a27590139fa7ec352716633cdb06363117e

SHA512
d08158aef7a1011415350440e49719bdcf244259c86f49932b23ce01955eb83d0f5c69bd763e8589f4119c1233c8297ac0d44c7d10b31b797d6372106bdfed9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
847b7282a96d045bbf9fe40a229760be

SHA1
4f6197a247103d660bb1727423e4e1eccd050102

SHA256
7204413589d8c10d9a5d2159e3be6f3f3e878e9c804f1fa418c718120d7aa4aa

SHA512
29d14d87c9002c5c5f392b25ef8f337195ff2b6a90cbcdffa9ed08557faf28a5e90a4d1825a1860ec22b3f2c9d9a465d2bedbb7f23ee70c1b1ef1b144bb81659

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
053dd91bd3af8fdb8290db4e153c5639

SHA1
2f12fd100ce0c9c35973bb67ed17446a8ee66b64

SHA256
df90dd0d47aefd0d5c11d85acb0ebc1ae941d4469eac3e8b2699a02c71a0c8e3

SHA512
1d7532f28e83457c87705ea1070054712e27b1c7c7ed879a5f48c1c382d4c67d7c03ab0a651c16b0cd26952386227224229237e983658abbc5387a9feeac3b5c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4b7e74856d623f4d46662aad5566244f

SHA1
bd9a8761891f136c32fef20a22289deac122ee83

SHA256
72a86e57625a9a36a59c766cd0e1ee6309890ce41530d17c8ecc297ac9ef3e98

SHA512
fe7696f88956f39b3fa1e643155496b297a706549ca728aeb73134ecd995d0a1d3955f70205532c7eee5e5f55ce7aca89349f63d97bd918ad431b960fac1f30b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9817f3e427ea929751657feae849b98f

SHA1
03af740ac159f0eff0fbdba746a5e5acc511203c

SHA256
623724e0f24406cbea1c2ce0eb4e65608186cb4a398f0464ff5816d83fe76407

SHA512
77eb5fd61ee4c9291d891704e4c8969a1f93299b741c22a86233c9af7d282f2785a00ac3f18b5397aafc4aec557b907e8f3821248b90f04bae29b2a02c049c93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4a55451c53dc869090244bbd5ef365e3

SHA1
e18f166db2fb3cebab91d74c1b215c65b0548b16

SHA256
3539007332f9e4d2d1eac263533fc69a8e6f9d576c8254a753a4f854ca95c490

SHA512
76d52615a78db78e9627c18edde7ff784fcd3e16cabff1564e0ab1cdbf01bba84dc24980faea2ec615a95aafe173b694edacf302728368791a956afa37c33275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
22960da09c154164640f04fd5ce28bcb

SHA1
3efabe7fda653436e3377feb290961189d5e0d91

SHA256
da542a2f04d7b504f20cf1d0e8a9aecf7d12e1243394586a0dd84f6109ab9f65

SHA512
f0151e28d489728d941dc7075b0fb0232578fbbc3510017db48481e1a2762862d000e4cd721ffec8bcca0db7c9e5b770739a8c40e1823754fde0b84f7ed8dde5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7562a312f6cc8545ad4dbabf19d5ddf0

SHA1
11a472a4f0da3d71c7c9b067a1f3da316d208aa8

SHA256
1ab1a85428869cba0857461ee5de5c489c57279da992170c7b6dee43a5609a81

SHA512
4a923426d94e0f5ea839be5c123ca443ce1275a4d24922eae136722cfb2215cb9fb74fcd4c2b05996863ab06b79f8607a6c8774c5bd78795717dd4ea5592ee5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
dc2ef8b209745890a3c2aa2a3c609845

SHA1
fbf537851a14146468ca6c0f096095f65b739656

SHA256
22add663ab93ba924ced9821a267b2e8f4f8831f7f02a081cf35427ec466de68

SHA512
cf49d93f45c28cf6a1b89cf8bf2111bccc41bb387424a0242648f59c8831ea8f893af918a1a17cbc1644cc4afaddb206cdee529a8e69ca4936a1a7420d0ef4f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7e5cfcf51f5f2ea023048d2bab52741c

SHA1
9a39ec04fc9f7d89debc151ba563e886f3b1a8df

SHA256
97b5135e4d062841c9841879aa93430d1fdd2c3ed49d635b3e0c73174132e1cf

SHA512
c34f57b1e2445804c53f53d3a3eae612db7db2fec8afe80acbb934c12f9e63a2e4f3fc4616f2eb42d6e7fd2ab803b3b13ebc0152c9317fe3b74105179cc0afe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5c2d9e72aed1ff87e58c25487c3e45f0

SHA1
c619b3623113f7d37ed3547454b7f55ebe4da8ee

SHA256
90f92bb995e7a37984fb41942731f15fd3874e186771b0cceca5d03c8f56a172

SHA512
056c6496aa6c24d6705db178d28c182c0b3dff5f7eb65ef52a9301690cfec8cac776e69cddb0701fd998d48cda38fd0bc45989687020648474032ae49766da8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f0df6f4c6583c7bd67553e1347e6fbfd

SHA1
791f1cc7a3a6c9059b55b0c432bce3a4c9eb8b92

SHA256
dd6bbf6b4c39f659b2ed6923a58ade31e18c8f1b5922e188b3d558132d89c450

SHA512
5d5f7cc922c2b2c4142a31ca165489f53d29c2b34d8e7b023327d6447a865c50ea432614e98b1a587250663fb8fe02ee7406f622d01487bc4a0e883d841639b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9fbb947c310af272b6a1bb5e7c4a8132

SHA1
b3efdaad31866c09336385f30a3ffc51c697c015

SHA256
553502de85a915c3b51e03ef7b8a8ee47e4673c75777a675335611c0552e456c

SHA512
1b0df6fac5424a9f86373d8b496ad95b72192b24c132121112649eef1a929416f450884f1df399f9cfe11fa3112d4bfc6e4db2eeb6a2eeaf69362d489c44719b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f9689965fd0b32d9d7b7831ddcb13262

SHA1
cbfdd4ee4b7b276433c3f24e291f47b188043c7d

SHA256
31c5ba83a6941d2e7b020ce72caf45b6fdd53023bb04c4ea1cfbbcd52195f246

SHA512
730d5e2555a75814bcca406e21bd24b462cda262f7b0d07c7a9de84dc027588e338002d4c3b113851b48c8ac05c0c4c77e0792716789ee0eb9fffe425190b2a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6ee4c2765eb16b076bd469ef10588f6f

SHA1
05b3c1b287533e80173a3b08e38d72bdfdf7dd9a

SHA256
03af92700478b5f08695cddc8e61d8520efb7761baf3367b48cfa07e17ecb2f5

SHA512
c9e5615f26b06fb3b737fafdf337412dc2c44cf8ca5ad26cd24f4d434d7cb2bad546831f19576e0562e5d1c93d10e4a719ad61d55782f53e4e2e65d628839035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
197beeb79d7ddb4fd0f3d0f05e305b5f

SHA1
ed6740c0c0d9018491950b4544dbb6b0c61360eb

SHA256
85bea84a6169d9fe3eb01fe5f0c75ead1a7560c980933dbe502705be7789967b

SHA512
5152512b086fe1976a3012232e0d1dece794cd2aee68cacd873830a3de3709095575807e454e1d47921cfeb9fb64b8971263c8d0db15b6776af540d132b5d589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1b0f03bfe713d9dc2121932fbabb5c5a

SHA1
9a6ea7c81dd08b1e5c517645e6b4ed3f549d98aa

SHA256
efe98136a5263aab1ef8fe99ccbf8c24df618eafc3065cf1c6ecb4c882d0fd10

SHA512
8486ded4da239744f340dc3483f661a193b80ac90febd6c2cfcbeab4cd3898aa9e9c7a644ea3ef52650a2237c08bbb4292dd1b6f537ba9eb98412083523e58e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
822ec4e0dcb0693accf0a03cf36ccd6a

SHA1
844a7cf9deefd21f8d913d9e16c4d5275d7de33f

SHA256
b1c1903ef9a694aa324855d0d7371d74ea7a50314e2e5a570b2292a77ce2966d

SHA512
b88cce426dbdcb4b6be8f3f220945e6b5c09182051d065ab2df8cd53e2fc76ec11a42d26058f0fdf052e08ba7bcc30353bd9593ae3c48d47892f6158befd67fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bd6d081232599f513da8cf68603a99b4

SHA1
1ff57aac93540e598c3a985e02ab699bb40aeb7f

SHA256
446945157750fb356e14b3e58a95103e5668dee8641bbcb234d0db0e40cbd0ac

SHA512
ec0205732c46bb07a45a60f76b29923c361d3924146833a787cd42ade231be808501417031839a06d9b20f0f9b86d6c3f1e14e6d5ab4263cfb7aa82802b1ed65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f73e95362e7c0a7d63a15016df2c911f

SHA1
54b9ccc1d78f796d7522902ae90142ccb60f546e

SHA256
c7327dd1bbaca9e5cb29a8fea9eea1d6167160bbb84346f4b89086ff2108ec6c

SHA512
ada5ab9c9496b439e6c7ecf9c9616ede911aca342844519129b00aa7ba787389869c59fbc89c4d038900f411927ef01be3aaecb6ebbed7eba5cbf461248327f1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
46027188c39ccc381cd0b7bda5f6f361

SHA1
4c035181bcffe8f58ab8d5b94152438cad94ff45

SHA256
8771d97d0c4d153958dc31f32c60c29d500372da7f385ea64a4ca7992e1e6d51

SHA512
8a2ae1283289e02b5c6dba4688688067dc3a60fccf71c539e28a5248836a2ac5bebd52783f687e6443fa0b6c8b2690cf28917250d05d2566687c0881f6a1e20a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d907b2d70427be042f71cd3b3d2a617c

SHA1
21729f0227862a91d5bcd109d30ea17d00cec18b

SHA256
0cfbffed21f75a44816c23328423c02850060182d10d4df236a25f934e969818

SHA512
15061dcb623fdb0c19775e0c4352cc092b2f99122f322495efcf627bf3776349b5642bca7e24226faea421bfbc322b56d014a86e2dc1474e51d34578db92d33a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9ebd7034dd1486c2c7766ab4323b4048

SHA1
1a204df60f319071c40a0a0a0377f57feff90aae

SHA256
f056c1215524dc7fbcedc192467d92d88e3a06f6bc050e889af6a19b511af28a

SHA512
b4e6fc891c2597e253b18a3e7e3c8bd2a2572a9235eedc817b7b0e79da8f4c00fc9fa5d4312bd725002cc005118ec57ded0aedaa1cc0f6ca1638582fe2bb0a35

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
481ed75483d56dd331868ec60c64adc3

SHA1
a8a17a817f51a9fd8e08914b9c69d1c1ef7824ca

SHA256
8d713360e0b66510ffb74dfb66a96dda6ce2cae9a3e84176fe1e39cb6becf6d5

SHA512
44aee313b09c090877f52c5b2a27713c637df9e16637e6c5de185fcedac318528c8ae494095e307513f906c67776d2590ee51264b26bc0ca8daeb87a627797ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
53c7001b36030249803cfb6a89742477

SHA1
b2adfdda87f3fcd909a62df50980382179efac88

SHA256
4e01b7f1e414d1a72bf6b9f4f3dda8b15317236f352c32f8b035863a85583d7b

SHA512
2d2e10e8515059465e34b1bbc488674a7d4420e5623e84cd3977aa713b0aecdf39249dab37cee47a98483d28d5d9d51caef21499e1b10e28eecf9aea366e1be8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2eddc8f0f0721ebe2ee54ba29cbef40

SHA1
f56ab4eae715b6ebb1bb7db3daf850d4db93a719

SHA256
28ce811758b743eb2df84ba0ddac50b3c1c20074bb7dc3fb721aa0d46473896f

SHA512
ecf46776fba47143f26e5895b3d727601eb0275d139affe4a99258259ead23826d7e1df7671e3b0352b5da7b5ef2b0c25ce93713168abcd0405e31102b527801

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
788821b86356210113311e9ef5dc2724

SHA1
b2576122b0c745b4c5f1da6afdac286088cf0c7b

SHA256
003a8fa8d3a8a5c684135c6eec6f6bd4aacfd35f23ee2b7e1a45ed53f488238f

SHA512
c879e76beaa66918ba5bf9769a0d86cfec5a0dbe80de543a3c0b6df917a1b8d4e4ba1c3778684d275e31523f0abbfd7456789f1e77f318013e6b0c9e4ab54846

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
752649b8cbcf21521f88057b058e2011

SHA1
115d8482e5c8dca0c9a623ac53dc1f2d38285905

SHA256
c32ac8a57335c55bc91fbe350fb2670b2cb2151f10cb01f4be8925925303121c

SHA512
eb39eeefa2eb0cd52266457a78eaabe21800cfa27db0721138870d83e27347157ef322d19e22319e443919fb5dbe4ebf6859bfc076abd93fae7f3eba071bb1a1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d6078f5d47ea4684b01f1b0bdd2abce7

SHA1
29fa0562c0b9bfbbce389f219cb30ff521b21efe

SHA256
45c7551cda146219eddc4dedcb63455287bc3d1e75a06ba545aa3d16d19dfbec

SHA512
2902fe673eddfbfaeacc75db42e433f78fffb2447a4368aa3af9e79af99eee79d8cd213ddfac980268afe1ec00c0766972076c2f7d39f75e6596d742d25fd6c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bd8b00c243512ee8291cf78704c2d7dc

SHA1
7f8db1be5a457aacc73b19ca770c91f02ae197bb

SHA256
dca95a4905b4204bed91c4a894bd10177ebea58af2b6f13d2628a6dec79c965b

SHA512
dd508e480d9937d384fd58ecbcb20ffbb2d2f0758bbaacf05a459586040eec07f07d7f791671ca00a877e0901fe84c3f9d505c082954b9a792cb8e5c7c6fdc6c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a91f7405322b1a9cbef060644c862c0c

SHA1
a9bf6914e1aac7455540c58ac52c72e0fc08578b

SHA256
858f24370da5f3157f2ffe2aa61a2c286a9d2aa9b536b45b24d50f208331d4ca

SHA512
7c10f92dfbb006ef2e84cf0b6f2c449d1cbfb8bd2051cb4b9bf861e47620ae42d65de9c421b8b814c9ef12a20887ebef41dcf04cccb74a054a79fc6ae7ec2de5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
15aa35a4826513121188ac42cad7ad83

SHA1
07db1d94dc42a9c8373193179c83e3c55cd501af

SHA256
2c2b2d37956b74240493ed786ceb4e08bc6b7441d546b70ce054814fe1ed0da1

SHA512
0d1018f3281762859088cd27649491eab60f7d3c5c7bbbc5dea4b9e13b882afecc2eab979d0387a7f7f5c7f5cd322ca0789000db40be8849ce1701e0db32c67b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
53a19f01efa8a7f69aef31d30a0cd613

SHA1
11277adbd8629fb849bf9a814475dfd398aae384

SHA256
bc8ed011defebca45728bd6249e480d8e698c8aa8c94f46e8a1a143f6f43ee92

SHA512
7b223972b4f4210c29f3863b0fb2a952a4f56a93a282d9ffd2a41853ee5fd0abb08e3bef34afd2004f5cba52992e6d0b53ebd69072f50ca7345f83fa32a48ee8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
22453055f1bb1fb35ffbe12f6dab0142

SHA1
69be4e61b07e189bb3d6f894a1a0fdd0622511be

SHA256
3fecc9669f077bec030d331be5f3ad42ec807816f6b0526b8cbee9b746b61dc9

SHA512
03e89dc87139e236098a9b454d23682bf35fff4330c667f41dbdae4cc36f381b0aa492fa883da0dec6c49ccf6aaf6e7ab7fa8f40e68a7a3445e7b8153b2386aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
537153b09775149b38db1341dce3fffc

SHA1
4a0e4430902de4632c0ed0116a7cf85b181c8927

SHA256
31547805be62b2be60e266dedb9ceaaf7cfaae1a18ae6d1cdfba3592a6a41873

SHA512
165f8085c7430cdd1ee01de95137daf06331150d41853c42f520dcd9dfb5515cf4daf460a006bcd7de2a2d65c3f437701098fbc5240c09f9f28773b3a86e65f1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3b7c1f9a815a7243f248ab5f640d89db

SHA1
117cb6cae6bb1d6973f47bf3864ccc9a46b2e245

SHA256
30ec1bd4d8ab803e7cf0f14c2adca15c3eaabfa8c2846786a7aa0bfc1edbd9f2

SHA512
524760beb5045caef5ec0154219a96480e759b176d11d6f684093ddf82d0cb13441e92406331bb5eb294d5bad19207d00540aec7c37c5cd801553d7a0248f92d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
76cb485f1b2332b673557a76a9ed0d22

SHA1
2e85858d144fab578822d21f769ac1364c56769f

SHA256
fab3f9b45212759286cc23a64384adea2c21ba5e8db8166c37b95a491bcf9100

SHA512
31531351999132899501ae59479e8cb9e95220279ccbd3702080ddf9e5ee6e16ab0c058a2715aebdce22b2be2cf8229d637ab146b888ffc3c177639420ecc0a1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1c8437fdbd2b5fc633f9aba939317e5b

SHA1
7a88d619e5b8eb60d48d994a39c0b6b743dc64c3

SHA256
9b1bd9d6cd0a8950b47475036238dd44936c71d0de61ef1c68a8b1633938fedb

SHA512
3dd9fe4f9155374acf59b233c520618aaaea5271fd4892678599f9d32fafc35da6f6e7cfa2be0a0d59d09128b704df27ef192680d8cb86f2507ee5b6aa771849

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cf6275dc8ac9fb8dfd843574c096eaf2

SHA1
1098fbe6a8e01567be1b8d0b774f4733630eab54

SHA256
e30cec4195c4e402177b9916b355e78e242cefc77d37227a7f03b3d32afcca49

SHA512
14f08761e13643391e178eb9903cc42dccd26d83e23c32b8394f5d4054400860594604fc94b5108035e9a111e881051c57d292b3dad7ecfe00790e8c562a4446

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8ee39ef0bead9541ed92e81f889e0468

SHA1
a8c6848426db4225a45c7bc7ddf0c77bb14311cf

SHA256
cde2cb3038b1b301d18f66e518ce4affa8c965f816cc93d97bf9e6708d45ed7e

SHA512
b0e391706e1bbd3d438606b42062ba5bd4c3e994afebe1583b952cc19e48b2e59c94017a473334e188206c1d08e15ed45517ad337c6782088d1ed8e336419aee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6852ad284252e162fab39da179105af8

SHA1
81b3e118331b27814550a5b444b3d39134b3bdba

SHA256
da035233090d2e2d801c1964010009aa8c79e4234cdd836b155d793465a2e5c1

SHA512
fd89a2907326ff2c1bd66023ee327d4da24f4381a497688e02c1a15e6d0cab64e37d0310bab88bfb72745f2684d155246ac0467461763f3c1559125c5fa47b7f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f9dae3e685efd26b42a3106a4fec1f20

SHA1
d8bfdbdef38ac9a6822f9eaf7c53b6c98621fcdc

SHA256
be078648a2f657f98493d12a7ae5de08335e9f68840b49c2cdff7ec91fe81e27

SHA512
e095ee0b94505d63c3eef97fb9feac79f357fa5e47e1662f8045e909757dafff31115ef6959da8eebf68ef3d7614fb1bd4fdaa92643b916af0d9596e4fef12c0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
25e61cf99822641c0fcd81387e6ee0d3

SHA1
c0b80c9d90f68729e19d7361fa2e7f9951e02c7d

SHA256
e699187dd238bbb31fc75732306e69874018200a7aac33a12cd2026a604acbaf

SHA512
6d1d1eb62e46903864e9115b274d7c1d0ef2c3d5b3b0d503e2fff2a7e00f016c344bae75b35f306697a669533960fdfd75ea6015c3181e585b2c711636092369

Download Submit
memory/932-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/932-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/932-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/932-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/932-129-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1116-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1116-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1796-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1796-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1868-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1868-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1868-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1868-70-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1868-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1992-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2136-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2136-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2136-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2256-555-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2256-243-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2836-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2836-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3036-110-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3036-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3036-8-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3036-1-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3056-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3836-632-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3836-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-35-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4084-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4084-27-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4132-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4132-635-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4164-76-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4164-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4164-82-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4164-86-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4164-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4276-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4276-482-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4316-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-478-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4324-56-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4324-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4324-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4480-472-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4480-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4564-439-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4564-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4608-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4608-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4620-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4620-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4988-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4988-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5076-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download