a308c1e64c415f9b0687d7a059d5895efae455e4904840bb1686b7a7c1c27aa6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Size

2.3MB
MD5

bd4c5a755b1c04f2ab237f78450b8cff
SHA1

d9b0ef41c9e41520a86f35c47ca22f0de65d76d2
SHA256

a308c1e64c415f9b0687d7a059d5895efae455e4904840bb1686b7a7c1c27aa6
SHA512

6a4c8c6bee42d3645427c9e4ce577a9557fddfc982fdc0cd26233382fcc8bd625b627dace92df40579388ad9fde3dbb045b10eeae2ee8358d5304b71115080a5
SSDEEP

49152:1f3ZoG3UCj5qzWt2skmzb2R3NBHCYcMKCqy+XyTmp6IwDmg27RnWGj:dZP3UCj50WtQwb2R3N9cMKCqy+XgD52j

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2668	alg.exe
2452	DiagnosticsHub.StandardCollector.Service.exe
1716	fxssvc.exe
2384	elevation_service.exe
4088	elevation_service.exe
952	maintenanceservice.exe
3936	msdtc.exe
2624	OSE.EXE
1248	PerceptionSimulationService.exe
1528	perfhost.exe
1448	locator.exe
4548	SensorDataService.exe
4852	snmptrap.exe
2400	spectrum.exe
2488	ssh-agent.exe
3424	TieringEngineService.exe
3536	AgentService.exe
2312	vds.exe
1524	vssvc.exe
3056	wbengine.exe
2424	WmiApSrv.exe
2044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f1bcba7293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b4eb234d3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000739f853ed3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000009bdf34d3adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000484c3c38d3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083887236d3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f847538d3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aac7c38d3adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035b6de35d3adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc9fce37d3adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

pid	process
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeAuditPrivilege	1716	fxssvc.exe
Token: SeRestorePrivilege	3424	TieringEngineService.exe
Token: SeManageVolumePrivilege	3424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3536	AgentService.exe
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeBackupPrivilege	3056	wbengine.exe
Token: SeRestorePrivilege	3056	wbengine.exe
Token: SeSecurityPrivilege	3056	wbengine.exe
Token: 33	2044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2044	SearchIndexer.exe
Token: SeDebugPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeDebugPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeDebugPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeDebugPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeDebugPrivilege	1336	2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
Token: SeDebugPrivilege	2668	alg.exe
Token: SeDebugPrivilege	2668	alg.exe
Token: SeDebugPrivilege	2668	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

pid process

1336 2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
1336 2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2044 wrote to memory of 1240	2044	SearchIndexer.exe	SearchProtocolHost.exe
PID 2044 wrote to memory of 1240	2044	SearchIndexer.exe	SearchProtocolHost.exe
PID 2044 wrote to memory of 3096	2044	SearchIndexer.exe	SearchFilterHost.exe
PID 2044 wrote to memory of 3096	2044	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_bd4c5a755b1c04f2ab237f78450b8cff_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1240

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6940deff40f36f5a2def12d3cd7617d4

SHA1
73198f8228d92a141cf797330898cbd62c4bfe6f

SHA256
9a669aab6d4f8cba26ba1b837cc30ea435908c0a779fc38552c23753eb9ecabc

SHA512
8e9b11625f90545f3d3884c3970835b12352ce64fe7a1615c7675e86db4253ac7f391e3c9dc7f2889da3c3c37014eee164de066862abc143dc4255dcfd20693c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ece3368b89042905273f0400aed7e840

SHA1
b17db4587b6658dbe682c2dc87a25dec9e236594

SHA256
ab14e7e0e971207d7cf2dac4f375d21c71fe8527884b27d598292746e65ec4ca

SHA512
69303659e022be06bf240c5a066071db79e6ee7d2f1dc642ee083d78eedde17b02ab809990972c5400b3f698d41e2e14779fab2e3a2f13f58f935408f0e32cad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ed535976d3bdd84eae420c21c635b105

SHA1
a2600fb6e2701ced22e0bb7dd985c2d8a57e3cf3

SHA256
27b5732ac7e0c1fb07b1a9b53d698909cdebc82ef31308fe3ff55a4cdadfb641

SHA512
f4cf2599ccac7f81452af88980bb729a70151e9991da12f34dfcb40a7dbc6335206f2226b165c04671d357887ef6901e1af5c8dbfc057314a51052d7085c0fcd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
19b6c34e66ebd805b160fbcc576ce86e

SHA1
de4e8952d15855156d5fe0e6464998bbb3aaea73

SHA256
2ef7e9744069824af62305764c0dde71e8394efe1a03810e63685ccfbdbebb47

SHA512
7cf002b4e6d3430df74a70089ea9cbc06116ed1252be6feb78ff7d900d0930f177ef9282311a529e8afe2105d32809b2754bcefdc90edfaf4d3db19647a5d908

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
782f2bb7612b6903f44ee044fb19fa2b

SHA1
860687d36e9059b4379aa105c278878ea98dc1d9

SHA256
e2019a92551b99597180edea056f07853159b68e88e431474db2b220f1d13188

SHA512
29c20ecf53769e5e2df621f96ef72ca997bf622a2d8408272022a6df7550a5269535f221723562375aefff204a93ab787915f7f8bf45007ee2410bc5203a4d27

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
631b65615c919cf334ecd0a599398b5c

SHA1
66767a6e92815657f5221802ff133eee010d9339

SHA256
0a06581ac640d1384723b68c33d79b9905bab24308a8c75ab8e972bfebf861b8

SHA512
df7596798ec9960be9123324a1e7bcffbc4fdb70ac701a9b4ef6524ec2b1bf74e3183d675230ba41675e4ae027bfbc2eca0a7a3a8cf97ddd20b3fe201e3eb748

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3b6855015fa53207aedd70784d37e72b

SHA1
5987723135e0da09c0d1d71c4294267742fdc989

SHA256
108041c3dd3333398b820ce8c80f3663458dc594e8b9d339395d9a3a60c3db35

SHA512
c8be0621e588085aed99efb0ad5948ebc751f059d98a308fe7264b59571c855989f863565ed89b929297528acb8264a001dc81e3e7cae42308086236ac048c6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4dff2279e4c0b663ee5ff5db0e061198

SHA1
f319d241d5d8f474909a8adb16ee4ccc82122ab7

SHA256
1d067aa8909cb8a7946d3bfba22606ad9e55d45abd231eaeef40eff8aa4a6359

SHA512
85ab01ee87bddeb209b66e22dacf25f4b9d2654e1056863b33f30a6e4fb4c64443a9fbf64a4efaf955a269a9ae240eb2fa0566ad482c429316339ae10a9ff72d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2445d62d2133b9c4c188e13f15733f4e

SHA1
919ce28258724b47e0f3d838380803524ccae3d6

SHA256
a49e1e0f8297bf075a3c4c2b1a7fc57353843c427a699e0616cd7080f8a7b39e

SHA512
a430e9d67b4054fe0df744a2695b45a6a27c47a50f87e6a17e0f4ab540bb774872fb7e164eefe396c2b7705d9e2c7cc52e27116a607b0770dd8dd30a230ebf78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e8b043b86d9dbbb2b74bbe3a74a45ffe

SHA1
4cbf4d7ff669aedcdd11b8e85679bdd0b1d85640

SHA256
287fbe0287206e672946a1d21027567923b0f2e4b325d2b7df6100ae86c2b2f1

SHA512
3e876d8d4f034ba074484fd3a0b7061a5b2e04c1310d1b3d30f327152041313932e7b51141fa9b1bd00c3da21a0223d1afd99ba8438aa8ece00042245af44a3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7ba81f53453d88c12ea9b1ab578da72b

SHA1
26be4a16ee23fdd22ea9ebcb44a58ad953b51e94

SHA256
2a6cb0020c43beb97f0cdbc732fdfd58bdb5438f35d6747ec0c513f80fc18139

SHA512
14afb9fc4a4f8f750e700a47b4927a9cc6e3e85f352ed73686e7307f2b78c4e492553f3bb40c00bb0bf527ef0db5081dd8623f9dd652d074a8e5d42c3759cf2e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d96b9bebf3e40b4a154aa2264e16a9f1

SHA1
b1e5df696b7cc822df4241938bfc276920ee8355

SHA256
e93de654e0954f4989e5508231a58c6906a78dbd11674ccce6e234033d4ecb6c

SHA512
c2fca1c047cfb7ee440e7958401f88dbe505483963a88b22ecc265c38d4ec96f48357d644acfc9497d7e6ae627847c4158bf848441eea4ae3db239304f1d9ac7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a520cf6daa1611af3c687a5b551dbb75

SHA1
c1e553f462316755b6cfe6e8af94685bc6501668

SHA256
93643724bffb820ba0b8fdce7536e582ee6d50c610cba1d72bc5341b2c908593

SHA512
ffa7a5a672c03c776370069d48bd2b5f33147fd2d29f85b416f14ebdeb552e1531e1610438eae1a3f9cfeafa223c9033f83d62e49e2f564a1c0bed2a92313abc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c4a863c4593c29e6666b438dfc0351a0

SHA1
cc63724149181152bda0ee394b85c6a17e9983cf

SHA256
6f710e310b6c911c522026e3dff9d778fce5f46bf3d4942845ff6b8d84e5a053

SHA512
fbfaf4c06e2a027b4c28f3921da60848b043ec64cd6affccb214f74f5504617faf64574ba00c4217d55fb32ff6a782fefc2a2cf7b712958adef2555a5cc0957d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cdf16054afe90576c1d837c5896d9731

SHA1
2e8795a2f6f0327d3523d3400df79ff6bf4f092e

SHA256
d599ae472a0857a756993246707b5db3733bb7eecd21f1fe004511486965ea3d

SHA512
8e85e23a7820b2e274923494ed0c5c2e31e34058d8a17d8d494d342785becfc555795b418d1c58ce4d6c9606ade2a80835af244f8d188ece747d40a0e87997d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ce0f9db952566e11c0ef4d6de2894180

SHA1
262f14b87532e80661e47c5a92b5896a3c9b9819

SHA256
d4b4f948372df4facaed1406deb2f19db228036cbf9028a8b68cadc3080b81df

SHA512
dfa99fbbff597c3783e38ab6af39ecf904b6e5119ddfb46fc6b3e0b86a9a705bfb6ca55efdb69bf0a865e5712a7a43c7061ba0ff418f3f49c8c8b52c78155e63

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
014a2879b6d59da4955b2f5f4e1f1345

SHA1
3db6de83aa2177641ba3177f560873837e4ab109

SHA256
7826ede17316bcf4cbf3ceeea1ea093716eb259853fde079d575e0b364c6ad4c

SHA512
f169197872c565521ca571ea90ceebd37703e8f420851472cc187cbb5bbfc6808ff31288e897910d510ca52efcac9129b336799d12747238a6e21ca3a571fd22

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
034ee4f6f79eea41094e787ba18933b7

SHA1
3f2683bdcffa8db33cf0b31f78e19f0eedc84783

SHA256
a8867fccbef908bcdbb6ceafa83410aace3dc1c2daf263c16dd3d0dc9565684d

SHA512
b7e1ae3fbff3b0c63925fde51b01b3480b86ec07cee3a8658890bf18bc52d9ab8b3d42bc8783811ad4a69c39e738bf0437d52c793a0740e06a12d342c4cfbbf1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
589e41b5cd2ac19d23f19244fcd59da8

SHA1
ee30bcda1be6a188e443f12084740ef9a1c8d8fc

SHA256
272985c4d3805a15b9e0947ff689f24102b6418977bf0f0dc1f5b493d6b3e520

SHA512
92a9f7a094df5150b01efb7dc7274b3a44e8da9b12b7d3714f8749e33df42594fbf8a6269e4616ee0fc7a62ad92f02b36d7903e0a698ee53fee4963bf6cd12f8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6729b3c374a71fd3fdfd822b1b3b9746

SHA1
851974e62f38cab7af90cd776f53c2d2b1737e80

SHA256
251830004bfa1e490922f6504e3a1f62b5891185ca39c71ef75dde0147cda91e

SHA512
b6af29259d934831115a01c3badec52ca8fb59c62340505eebfb649eb3e619f2e2b5cc426ca0e007494cc9653c8d9b9e4e56449bb1e1315dbae8c97a21d30dd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f72e2e75f1c3cfa3c3ae336e2c861528

SHA1
e8f3487615135df7b4a5a6d54c420e4e4799d770

SHA256
9e0722eb01839a23f53d22b33f6e6b1bcc1d829e28b434062e850da9d5390eb0

SHA512
810447314e66a99432a1b8db2c35f61070e0cb710fb65d297c837dcb5d9052dfd64e7be2d005f78db3a56a17e3eea3ff477c69b307565f8eef9ac1ef2fb9af69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d1162bf0a17fea58d5005fd346eb31f2

SHA1
9b082719ba4749efbc9e8be43428f93d76657fce

SHA256
d1991251dbf8fa0b20f7985b96705ca94d0053998978779fa7631e3c646bdb77

SHA512
968fe2f2770e1463c4d39b167cfeafa1fe43abcbbb417075984c1a1476eda5f5feec23bcbfb9f38284032d493e6f52d1729a0c3d6c8464621909693926a810e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
26d40a3b4a3fd4e7d993255058254798

SHA1
2cda27677e4375e5dfb92a538ad2ba3cd4f6c06a

SHA256
cd802c7e6e5092ac7dc793d0721ee5d27f9b7256f4b14979c16bd8a271d6dd68

SHA512
f4af5c08765640c096cfba9d7062fb5a6ee037867a2de1264868dcdfa7ed539cb152bcdcbbf07e956e6e0150f249ec027584d92381ce6d9f9a406b8b02305a20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
af34985e82784c752c340773cf46933d

SHA1
5f6c0d46fa257da7fc8db70e039783d4f30785de

SHA256
3938b1a7d493a47dfffb62cda235190a0e16765a2a84762013f6fecf090e4a04

SHA512
cbc28df56ab64b98c2814b409a2a68ee0a333ce0f737c46321d24537a36662a68757b1cba1caadbda41f033448afe31acc32f0c22aca18807de3b2173bfed2e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0ccfa89505a06f2d9a8427cee4272daa

SHA1
17aadbca15e9f89faeb1c6fc20ae4519781b16d1

SHA256
c1dbd4aef42b7b8419ab1c9ecd9d96249db39760ae186029c69bbd049a990974

SHA512
8e01aabfda19b9cf81c59b011bec1bc0d16874dbcd84c4d1dd11a87503db224640a1a2393cc311d68af6c478a52805047eb6ea6a87afb9754e0433558c984b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0bf8b63ff96810390a889a53dbc64a9d

SHA1
80ed0462e3f015f189f13925df155f6d759fe1a2

SHA256
fa6e7df7cf5e54c681cb8c6dc7e78f2fbb93bda663e9f04caae1a07c7bf6fa61

SHA512
44d9ad6bcdd96836900337ddd6ef7daa5ca5704405e0a79e0dc0c2c0a78ad1d8cb4da6c12820cf0b2a74f916b20a9882c0b235617cf22448b2705e104b18d6e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
04009c6e526625d9ce0fdcf152007c2c

SHA1
03b3458e1d834d902cec41da2950319f0ecc432a

SHA256
7687da6c268cedc8a2b1096e7f3df0d63f13f4a5285677a40ff3bb8cbe230afd

SHA512
5c26f829c5ddb9614cb7aacb589bdffe4ee7a1cdbbf5d7f800512becc9afed9ef8f874a7c4de69a187c4804cd68c7e912cf97588280d71f56af028c98b3dbaf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
adb10cfb04d79905bce8e85801903273

SHA1
2fa89960397c95161662d9df033e8b14dd1ded8f

SHA256
be45d6359d23e26d9bdd6e2654e8e654b90e1a4ab9580e902ce294fb72e78b3d

SHA512
184c8cdf7390ee4351e187cdcf829eb6438c1663da345731fdbe2763b03c0a1ee065c1f673fb0a4d73795428154d701570be9c642ae7e3c8032b9f7d04924f79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9bf3c9ae9c2d1ca9362db3daf8ba0c3f

SHA1
1b3c6034a98c48a3f25d7692fdec272534815395

SHA256
5241f69bb54bb994aeba3cee4b1a623e688cb2e4eda8f8472eec5049e227836a

SHA512
38dcdbc2b0aa802e01573f2dadf2f6df4a647ce68a6b45a8dc2150d392f17df0d5177899786de3297b16008ceeaeaeb039cfbcb0096f36d37eb4e8fc644ce369

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4dad6e61213f06d8be8bed071b49bf0a

SHA1
6c2c63e0998f7b5bae93971d7de8614f2c2e4dcf

SHA256
978f7dad4224657a1f52f4a824397b922faeda16d65959d612dbf68f432ea2b6

SHA512
87e56bd58221d5008626ba036ad4eca5f5f2f8c27eb39d80b147fc1ee5cace9d9556dbbbb9a2edbe73e7c0ffaf15982b3451d7bf5f66bee31fa22b5e9979c29e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
855e46f3a0e07199f391fdc9480d26b6

SHA1
227605315d438abebbfb2599408651cd342dbcaf

SHA256
a38b784eac589ee48c68b95031edb4386404691ab9812c583d9947074c379ef4

SHA512
020d0c1e3ea82b41a7d61e974ea83ef64ecb9446ef8a5c86ba1a4c53ac6f4c7a3b08b88a7eaf7b5aa5ebfeea37a25e2fea03a2246f6e64048ad4cc259b800fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
11305ea832c8a0f62de5674ecca9f5c7

SHA1
16a691973f4f44db787c80c4ceb9edabf497b076

SHA256
b9654ab0d71f6a23867efb4471e27905475ee9828bfa57137fcdf641091997cd

SHA512
e9e5972e61e3dfa1e0b8cd1b6dec871c6c7163675828d04e30d911845469686b50ecbb8f0d5896739a61cfd5a9d39425390a482f598be1c8ac79a9b4ce08e221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b51a0e63db1d227bd5bb542e8d62370d

SHA1
b7d21915b21df47b3e420b25750adb3ca723fbce

SHA256
fd7f18d10027d150f0d5f239aa8f977d4133c071f66848163844dc5e6a560352

SHA512
ea61740e1cb38d26c415155c56dfb9d317155c9c4103dd82fe8cb2e57a783aad170c60e2737136e696c60b0a13687992a7b8b0ae0d81a545642f98ddcc1e4ad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
b7d77d003cde65e259ddace55c31d854

SHA1
010168a09f586e8a4f94f6d87d3dfbd0c7cb5765

SHA256
2778eba98fd71ce6d7664b4381d549f33196b21ec24f3f3d6ca50caafd691e24

SHA512
ed9d4aa9eeb9a5ef0ebdb605fdd4d77600884a9540c66139552ad04a4354871e2d05ba0b84c146c8a0a260c0e0099aaf4c2c7e0e62d44f6fa9bb568539165eb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
4ad5c4469100eb035ab4e9749cab6529

SHA1
f62f93fb969ba83d2c3ba3873ef2fe4071092f27

SHA256
65fca0ee8a32b67acca91917f032082d2fc4511bc671e33c8981ba0b9d2b5f8f

SHA512
8ceba5b8476910981867977abccea7a152a0f182bebdff957bcbf52bb932aadaecb1c343ef615e1f62e66337de512dc48f85ed429e91f8990b981a5568c97e05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7aba5b002fb19a891497878d4f6259fe

SHA1
33c88ba3cdb29e8763c67fa0d395dd23b10b943a

SHA256
1f8d52169fa31d92b9dd40de23467fa29102d0e61671e282ad0168690190ebc2

SHA512
5b91c07d81c1cd6f2a3ea5eebcf9db49ce28e68201f926eb1df5007e7e61641216e76de4bbd11b50b12681f1fc2c4aac47a7088b5ab05ac8567a724715e66b60

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
037e9b10a46eae65d8986a24291793c8

SHA1
5aaa3c3754d98125f76be587c67049f3644aabd9

SHA256
96440dffc37ea28c5389ff405893e2cfad6a33190b570dada39f3023c8b4bc78

SHA512
607b7b5d827ca5df8e3c491f326f4532a199862d89e82090dffdb43cb58ff5e4b130ba271dfb70909dfcf4d2a082aed24af5e3ef049736a0007bac03c72502c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9817b13583df73dd9424990bf2afde22

SHA1
b8f29c9a5c316e470f59af0f6c1d95634ffa4574

SHA256
abddd2e4a101a5da5c8f7feea130332b028ad44498b690be4f2d3f0ee67dd783

SHA512
49d77474049033c3875a5f8b0c22f765f2306a7202e9b710c8409806c1fb14778b499f4f1df51b0a7fda2074fcfe74ee37eb8cbffd7d4208c67d50993ff150e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
32ade37a6684ee0e42a9b2b7a72a7913

SHA1
5175850f4c36075265ae996cefe41173d983fc2f

SHA256
5b7b9deb0377218c7e7c74cd3a3c1111dabe9b2c577807c42f7fbb0e4ad29bbd

SHA512
52626664e5c43b913c56b64c1cc13f1f6aecf75d65cb91cfe68aae04307463cf69b3ed24660c96dcb45bd6e768f26b9307e7722e42869a502b2c9158b3d5a020

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
129e3c823a4feaf8ec140c3d3694867e

SHA1
34f864e57e5e70fc602ffb90210be400a33a93df

SHA256
aab7d5a4d849fbb69fbbbf4025205d96f2ac7e391721024cbc98f2d2c69cecb4

SHA512
87118ba87b0a6dc2d97e8eae664eb09f3e8477506bf6334b5d22d945d772ba502afa1054ba41e177d61b322583b9e04a2d488227b9255846676df625ea5f0eae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cd5b2bc77699ee5a896f9637ad65a31a

SHA1
e1843d633bc9b23a5a05316e36be73bd560af17c

SHA256
0614c07c8a6e136caa804900f9b30ea9490129e06ab2f9dd3d61b8e9be7df9ff

SHA512
9bf9d9079c9eb780ecd43248a5494c54af2d7e339666441151283adcc77cc1933d16e186770cc1a94dad6082efb0538f8f0f061295bc6eb37b2d5523b05c33f0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4a762042fa4d24bd4f84964d22ca8a0a

SHA1
45ba329b6495a17b3b2d5ca60dc417975cb84bc2

SHA256
d5abe0a32e3e6f7fd50eccb6093c42ae70809b4ddfb9beedeeda73abf9557c7e

SHA512
c67f8e04e9ac54d95d7eecdcc0e9469acce323c5118bfeb4af5b3b0b9c2a05549cb18e1c0a7b68167c159c8f6b0fd34d9e7e6105d18fd0068b750ced423ed427

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8ada1d83a5d8911a621a7b21226007f6

SHA1
901cebf28d7672b7806da0bd9665b0986d868247

SHA256
98f54cd40e5a47e630fb9e10aa28d9ba15ede27487cca0b5bdc666e4b771c701

SHA512
c192a1120dc4dadec4e3e159fa966e7eab7a0bd345e434265f2dbf4fe922403eee6ab3b716d7bcf0f2b2dab3b40a3758dedc0274f1393bf46aa3cebcc16f4ae7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1cbee5d820675de572ff03974172e68f

SHA1
236ad876d3037aa9aba7c3b549972e53eb908b71

SHA256
1ec525eaa7186ea71ba57cc4e36038eefe90fe4cf9483f1989742f42340191ad

SHA512
e022ee77f30db721f30bcc84b83c75c209b0e421b50c318b37be43f33666ae9a7a74456059d93a07e306661a76b7304f6a3b4cfb47a70c43d958c6d8ce7af9e1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6343a387b0e8f0f2f55477264a2e0d64

SHA1
badde9d6e41e3ac387544e4e8c17ce69874664b6

SHA256
cf204b16db17537720d7908a9c8c28f5dca1c85031396eb9894fc63aeda06ae6

SHA512
643df4dad3d5155c46ff06a9b49d1ffa48d536831d94be249b22a89e5154bf5a03f7f23e9ba2972a03d182c4c8e9996430c2c1eb1e8c00c2ed296f15aff107c5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
93c3de6ee1e0417a26d6909bf7ca2433

SHA1
b15d366cac2d9e0acf6298c22b4b62c3f52a7db1

SHA256
950a07de86980da20bb9379372b83065ae5a01294102d1cf9c83a2a7b556ee05

SHA512
10355e2817efabd7ceddadd0c767d6876f73feb86bedb265b47246337954da5c96f66cc7f36d2cee3f283ca756c055b94dfd785ba082f48429fdeae699236d2a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a7bb33d6d8162521ce17e88aafdd178b

SHA1
e83e3d1f3e2ed8c0428c2fdc986b86d0d97b943e

SHA256
fb5aeacc457455a1859dcd16296820d08cc5e536b3c398b1e60f9728f896addf

SHA512
61594ccb7ef60d51b8092432584250ae2440c1d51acb889faa799832c9d8abbb83f8ae119200b9cbd15990b9d4e3d636f199aa6ee652a323cd7736b007d48523

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e6f75383c465bb7db3ef0ac876812623

SHA1
0dd3099471aefd7b5441dfd15b0407a0597a4aa1

SHA256
b764ba6318c2c7c2852ef3cf8537709245a2c0c4dc30534bc644f3ad78bfdc4e

SHA512
d8ff556388798769c28538273eaa86d67d8854589b472cc5245abd1194f0b01aca1f5770928dee6db40c4668f2f049ef4d9bedea9cfa19d8068e5e72d7595680

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4b9ba6fd98078355be0154e5d01e79fa

SHA1
a43c9c51d1b1c02d8aed95bec60aa204f1fa1544

SHA256
5b7731f08f0b4ad4ea95e85849be307c36790ed5f893ff0df7e43181dbdc7f18

SHA512
345ca721b1055173a5ebf0b11f5c87e42a1a74367eac15b75310b19be883c21881f50053e41d1c85d43ee587709baf44d4309af8ee15928a44d8624475f757a2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e6f475d9f9c08520bbaf7ec7a6ed96f1

SHA1
4a30f1996e030f637262dd66ff659f196cc698be

SHA256
0fff6ac8c500d10ca5be22dd68022d4f270720f0e3c6b7a8cba5f6064f17e70f

SHA512
2dbb24a7e9d5f03d71c73e46ba5f328638b3c8bef7fb25abd99318d414e8503eae4e012273c5f096d0c3df5338e8eb3eb36e9a14c3b96410173ff3fb70a8c2f6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8e4e49552aef61fbcc0092abc99cc53e

SHA1
2e48fb9bce6939361091da1e9bd4738b12d4492a

SHA256
9d6c70269031cc470d4fa86c8245e9cff3f00fc9cd8f3346dc7bbda9bc8cfff6

SHA512
5caa6612508a7e5b1d0b426a6406f559e62e29816c5a27564b0fcbc2f62ed3bc2d066e03f522ba71cd44b4a3e1a70ab94cdad9f605fd664c7057f7d514ec4656

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
15b128c38ba0f731e88513aa6629e4a0

SHA1
dea8dd8eea8ebc98a8b1a8967975416635c78b3e

SHA256
6a87ecc49795c72a047cfd6bf901c776319eb8e64fb2ef587c691993425275d7

SHA512
5e38f3ee21dbdc41efde5f5b48b88918c45a1825c9197a2aa226d0f5eb80e1a497f40c2d7511fdb58395f5c1b795ba50ebaa8ea167cc8514443dd5a9babd8e70

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0a4f9c3d0494147308cdf3c58a9d4d70

SHA1
7d8b3323ef3e114c5fd9294b47ddd26964b80b12

SHA256
62548de7de6102dd9eda6704b0ce61ff601d69f164985755b7e8deed5695763d

SHA512
ac1c167504d48352bb66ba3f51784b080cd7b56d3509e8464e60ab8b1210124ddf1bd71cec4e06bbc8df849b94a99d853323ede7612163331c55baf141635987

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b2372918fa4b6379bcbcd5b84fc6a7d0

SHA1
445272ffa80bb5e13c32400edf6daec352ac7bf3

SHA256
4ccaafdacbe42b3f22dc31c4a8b491c52867d41fbfbf50d7ea85c3360ac06ac1

SHA512
5aab7f01784837915a4be0ed9a9bc8954cd3015f69f253db43ced7f4637abe3c26bc2865253f4e5198050f7921d01c1cc42a1dd28064ccc0cd841fc3b5a2b646

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
372a851df6d7bee00152c8061d2780cf

SHA1
52e4b39856e5132c0f8bb205d61c65292fba9446

SHA256
a156b091acd528586345cd4dab6574228c6db2b7ba58d102052dcf423c3de75e

SHA512
8f884d2eb3574e0b47e57d01ee92db28c8d84d32ec6d46067847e68a3dbbd8b38c7c63c410f5b99ea1be72eeee37a45642f0ad97c6ea7093274918a45ff07c27

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f1af1f9c124f26722e279eea639dfdd

SHA1
84e9fc029d7d87483609b657cb7e733650114247

SHA256
a2d8a854a54513aa1b4d8012c9594a034dd5405b04cb773c2a2f65cd17a6beb8

SHA512
44cf7b044237edfd4b3de52ade6140f257e4ed1719e5f5616751e3a24017d93cf5d8a09790bcc05ee530e022f6cfb7694d84f2ca95641ea757e8e8df60577791

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dcd81a26f26adb6d80c1c26b966bdcea

SHA1
8e8f9d965547ad777dec908e21b120099743b5a8

SHA256
4de1a8a314ea86bf6c241903b7c098b30130f2cc7b56ee8c7e3166fd6d7d079a

SHA512
65afaf51c36fc6854a2d4cd6617a99291af3c62b27f7716c01bf15d7b69db451d4668b1562dc492bc64b1c4fd9aa10ff983345327c369aa9c424a91003fce82a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3ae6905dea83d254585968e95fbbc04a

SHA1
f90aad7096885c5dbf929ec6104ed57a03918fd1

SHA256
f47bd033b4c64f8f3a1654ab4259ad34b394b3a824ce08b78f80f74ab211da33

SHA512
6d47594126afdd45301ec370fce43872385d37de1a90de655f99d96331db6e57f5ad4f123e0c88f22b8e9004e58ada194953e349abd2272df943f7341fb3f003

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
30817f744fa67c452517002db8c54321

SHA1
a918d5822354c20417c37a5def10eb85fbcdb9f7

SHA256
fe34c18d90dd3b049ac9afc346d767a81878ceca60495612a09e3d41f8c62af3

SHA512
636f025d31f593c187c6320f5c5d663677fb16736f223bf69b8452df7bee44c61ef283d6a88919decaba017f8e59280075e8cb0c7db9c2b86de3bfd0db48e8a1

Download Submit
memory/952-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/952-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/952-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/952-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/952-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1248-129-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1336-6-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1336-1-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1336-99-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1336-8-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1336-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1448-153-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1524-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1528-151-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1716-53-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1716-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1716-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1716-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1716-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2044-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2044-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2312-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2384-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2384-544-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2384-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2400-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2424-599-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2424-308-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2452-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2452-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2452-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2488-298-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2624-594-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2624-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2668-22-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2668-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2668-128-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2668-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3056-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3424-299-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3536-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3936-90-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3936-100-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4088-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4088-593-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4088-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4088-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4548-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-296-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download