8d9e27d9f3c98c7008411c88da0616c01b3963a16f6bb84fed56eba89c8fcf37

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Size

1.8MB
MD5

bcf3975c85b4d62c502db8ba17e0b751
SHA1

e80b339ca47e031774e08f9e0dec7553e1e3d219
SHA256

8d9e27d9f3c98c7008411c88da0616c01b3963a16f6bb84fed56eba89c8fcf37
SHA512

80648195888b1bc2ff0f2bc22642c0d59a57ebac9693c8997f55c3841e76d5804afaadf3b133f043bc9f8718912b56bd516a1cb3366d104d92197926a18a4adb
SSDEEP

49152:PE19+ApwXk1QE1RzsEQPaxHNdJE3jM2ce:A93wXmoKvE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1456	alg.exe
3984	DiagnosticsHub.StandardCollector.Service.exe
1956	fxssvc.exe
4576	elevation_service.exe
3316	elevation_service.exe
3884	maintenanceservice.exe
4356	msdtc.exe
4184	OSE.EXE
4860	PerceptionSimulationService.exe
1188	perfhost.exe
8	locator.exe
564	SensorDataService.exe
2548	snmptrap.exe
3756	spectrum.exe
3092	ssh-agent.exe
1000	TieringEngineService.exe
4404	AgentService.exe
4884	vds.exe
3884	vssvc.exe
3020	wbengine.exe
4280	WmiApSrv.exe
844	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\45591991d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d6972bef4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaad94bdf4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079db1fbdf4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb5035bdf4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e8b30bdf4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f20127bdf4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000375fa5bdf4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002504aebef4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4ba7dbcf4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe

pid	process
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeAuditPrivilege	1956	fxssvc.exe
Token: SeRestorePrivilege	1000	TieringEngineService.exe
Token: SeManageVolumePrivilege	1000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4404	AgentService.exe
Token: SeBackupPrivilege	3884	vssvc.exe
Token: SeRestorePrivilege	3884	vssvc.exe
Token: SeAuditPrivilege	3884	vssvc.exe
Token: SeBackupPrivilege	3020	wbengine.exe
Token: SeRestorePrivilege	3020	wbengine.exe
Token: SeSecurityPrivilege	3020	wbengine.exe
Token: 33	844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	844	SearchIndexer.exe
Token: SeDebugPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
Token: SeDebugPrivilege	1456	alg.exe
Token: SeDebugPrivilege	1456	alg.exe
Token: SeDebugPrivilege	1456	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 844 wrote to memory of 2360	844	SearchIndexer.exe	SearchProtocolHost.exe
PID 844 wrote to memory of 2360	844	SearchIndexer.exe	SearchProtocolHost.exe
PID 844 wrote to memory of 4492	844	SearchIndexer.exe	SearchFilterHost.exe
PID 844 wrote to memory of 4492	844	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_bcf3975c85b4d62c502db8ba17e0b751_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5100

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3316

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3756

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2148

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2360

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4b0b4fee87a545eaee1130d1c68502b4

SHA1
cebe50fd2718c4428b2aadc9ec376ec712f7541a

SHA256
b6c06302ef4e6506e6511b4219de8f09c6fa67ffcb2f86e86ef491298c7e5641

SHA512
b5ca8326d8dc69a9b3b997e238927f0464c3c370d5b56587bd0ba20544b7a05fa0e2e0522832c3ba7a3bf8947c812d8eaf83d9866d555d5cade18f469ffaef02

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
f2e746bee7414dbf0f1583d096d9e404

SHA1
65eda8ecd6b0354933231ef737f67ef123888d1d

SHA256
814d888936938025737d47db91b7d3ac302d22b56f518532833907e9f86f37eb

SHA512
e8faba7ccf7c87e331c0a6b75349473c4d28b7766f18da503d002642ac35c4d9768da3d97b58d65f579ec313115076a2fa3b4d0a087837acb50362e3e675f96b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
15d41e37914cfd6980ac27685baae8b9

SHA1
500eda3adeff177ccb66e94fa3c6598d10fc0f28

SHA256
d4aacab015f70f6458dec19527aed3adc220da18ce0d9a8f01695eaeeb3d46d0

SHA512
b73c5c1792b11d8e2344291fd67f02f843f0fbb6374de4a791853714fe57509750a1baabdbeed0bb982f8a3cc4be960af53f9c7ede0e20e93659d26cfe0d51cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e58d9bf22a90d3f80be86b6c2aa543f2

SHA1
ca8d0b208845f70ea86b6a1e8c5175b253b3c7e2

SHA256
036d12c42208a4a5b5368af242800689fd67e5fca0a95593c3cfd024ad42a9c8

SHA512
449a0f6e6e111f5c9b7f893f3fc94edba43380c451d8949b8d6bada61f028b14b817acab7a81b3d6e7d2153eaf509080289c5a6d73ef1b82d163c3d0d0ccced4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3bd0854a0a0bc2dc6f2d285543dd4f22

SHA1
e8c911bafaa9b4a791b5babcb8e6e27a1c214e03

SHA256
fa02042f7ab8e99c65da15e22d99d8bc927e3311fc40250d676f9b4f784426f3

SHA512
260e5fecc97d1800f3fdf0ea039f80a99fe8bcc303ff46935eff6b192dae3773b4cfe9ec6d7cb3c02c97bee6f408427c0731f7b4ff44e002e83aa5aec782dd52

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8bce4cc43d923108aa980ad3d1b6e4c8

SHA1
639405cb8568b9b354b621869378d93ca56d4b15

SHA256
37d0711de2b37ee1452c32c0d1f6c8eef3edd1bd60a5164a17aa8d7ef958352c

SHA512
f949738aeea531d659e574cd2cc52774f47c2646c461b00c7ee67533784d6fd61ed0968094a2b883ae99f09711a5e28150a607cd9299cd67fbaa725bef56613e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
46072c0d623a9284b32235488c6c69dd

SHA1
24a74cba3ecb52ba35a7d6ee2e7214e28430dfa3

SHA256
15121d7f38d5c646f3403086ce8510b56d58cebf684a7ba49201a0cae341bbcc

SHA512
1646994de3561724ae3e424532b684474f0c3447222e4bcdfd58ba4443be0392fb1f35440d47ed776ff0c9ce6962c9c8c3161f8b4fd296c7d7f2c3d2d29b3261

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1beb37feebfb170aadede5fcd4af9b7e

SHA1
f27d408088623889228329d5043b6dd0798839f5

SHA256
daff26d2dc75fe25d22ae964227d02965dbe6d4daa89298dea324307d4a1a768

SHA512
0f4621237e78de5c6d96e759d74cbf1a40c604243cc2dd430fc3c547925d269af20b57dd1201fddc2335a7a66c5d0abff72fbe5f27d455845e06572eae6e5dde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
34adc5cbfa814e445e34b0db83f97e36

SHA1
502f8764533c2576e7a05853423317f7ad93d839

SHA256
ee4f7922a6a92610d1d46a8d776b6528f8d6aed1af79788c909ac949884022e7

SHA512
a711bed660344127b8756797ca23c1be75dbe5c2cf7f0918d697a7a604452b2c85f9b444cf668979d93e39fceed8d2b87647da4ad78579bb402c09815870a142

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a1e184adac18decbc344527332a34af6

SHA1
72ea87b8fcde8a699335886d52b5a2b5970ec80c

SHA256
5f565def6f535769143acfd768819863bf80090f683f40e65ee70b8091b36898

SHA512
1fdcda3ba7e35d05f33481ffa87e45fb69bb87dbd7cde150447bc10252b1bdb83886b8f39664e260622131a6f75ba29830230cf26624081253e749f8d92ec188

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e324245b54d6cd41ae374590a9fcbb80

SHA1
9facee78bec2a734fc252ecbdc8f604639e13f71

SHA256
bb08b408923f6bce1fe9f305b5190d4c8253ac3d93a83c37e1c0e8a56ab4009d

SHA512
8947730f8f5f0cd1bcc4f714f673bd5bbd8f9408404f168dee710ffbf094547a2e164b46bfbb22d8a1faff78a21a09d92af24e7406d8abb3c777e5f299278b6f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
d4641a48bbc93829f85142fa2aaf2a22

SHA1
d2b98777edfed1465fcebe67bf9a872e47d14239

SHA256
ae9de1111360cd1bfc592c3d4fc019bf6a92b773e07986df9b27a2a907a861ef

SHA512
d91db27cbd65e0d1e1b51f98d33d472ce2eccb9d2e165f156ab5ddd77b91ffd873dc32e0e217b351408a68a35143190941f4595c713cb3ce535879157875ca04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cb8b98566e65d3e9dcc192e11dadf944

SHA1
f4599ff566cec7b11fd8bfd8ea3602033bc815e3

SHA256
fed6dd9278b188886a071830511aa61d6141532f4a10d579c49a63afb072cb06

SHA512
0993d1974509a6609ab4538e08cadb8cc42a077010a7d89f74921d4436df774a6c36cade9c9ecda6daa25d7450c82557918aeed781ad0263b67d1bfc9f0e5cf9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
22822e6ccb624a4048f7a2a015c1196f

SHA1
6eb16c65cbd6de5b74b7bb2ee204bbe2323560f7

SHA256
4b3ec8cb3f8b6b8750940ebd5636085fb535b522369a169e885cb09c82224c3f

SHA512
4fd62bdf05d5d22509fde10aa0a414dc2a22c5ee1e6d3b053c25c111138ed665e77989c3494aef7321a3457397677473a393385d1211373948aa2e73389b9abe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
20ee8be7079d62a3de3ce6efe2233c9e

SHA1
301f6330fe3d7393f79609e58372e84cbdf39002

SHA256
1b0a894261722bd2a89409d7b2bd1603cce48bb5e9005ef3e1f91ba999d29c9a

SHA512
7643c7874f7f3459ab21e22ac9b538658635e66e479bdb9e07c241fdd1a66e9255076b351c6cfdf6e3853c102cbf4936587de928b39dd7e58a357b413ae1b79a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
65ff34129d79f4feabac8fb062c0bc66

SHA1
7fe7627c2a4dfae2dd7a09e3b919f29ac463bfb3

SHA256
0889d2baf0b93ed01d5f83a1c9dd7d7f18390d96cf5e323f3a4db7d3a67623d0

SHA512
6202b742054ae67c8ffc62b3ddf15dd3cccf31fc518377e98f00642b258176dd300ec62b09687b105c325c7c6be62ee917a3bd9941d6ebcc9a9cd8d53f799370

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
47deb80276d092b7b347d623c285da30

SHA1
9dba9fdf11178be927ccac1243d76edb4fd63329

SHA256
041cbc77665cbdc210e63f8c737d94c5a59ebd0214a4a5655fb11e3b994c834d

SHA512
dbd0a828c507796f1ba5d4fe2ea3e6067cbfba6d33739a48a736e7289ad29948695e3763d29a8b73cc2d54859561ccdcb76b8c0c6c81a56ce41f44ac3577fdb6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
e68c209577d32aed4ab63df66810baa7

SHA1
68bd393d073ce4e77a1874b14a7598479212c390

SHA256
27cb3b475a265ba1817561c8816ab836194f5555332f5d8f6480ab36f721457b

SHA512
aba2034827efa530c86906ebfa58d117914ffdcbf04357a4457de6ab8f756f63ba58c4a80165c7214e8ba531d1c7d1791e42c7ddac5ffca45f5fb776dd8b8522

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
800538125403bb9c38e09128fe77e86c

SHA1
4af9240c8e66433ba0c677371792bd80901b697e

SHA256
e47a518ce6e4044af810b8c12ca8aeb983abeef0cd738b9494740fe118e8034c

SHA512
cc3c3c22bbae69dfed885f65a32136d7c48982c661c728ff859a8ccee91455c98fc8f2aa36f402f574eace5390bca438f3c775d5700b57a204bc49674f92b23c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
206ad4802bef0a1c23ad474706be09dd

SHA1
1d07beb5a13ac634ab3737a67f59de55f157be47

SHA256
4bc5e633a1e04364ec1349628999f1fa902cf702598d1faacab6ae0c201a187c

SHA512
c3d3fcf84494ccfca81547d86bd43a1265e07b32138cf4a6eba713bd7319b41a24c8bf51eee77257b27fb97c1912abe63e27f5fbe208d603e90f69d337e04b3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
e6759f01e536a531f1665196bd7a7414

SHA1
c57e7309d5427909a707674e13d040c2e81302ce

SHA256
2a12bc88ee3aa912f45882ae2c7188b354d77331918c80e1f4587342a95dea49

SHA512
2dff0ed2fe566be4d89c7c2fb60a8bee7c8cec643f1d19e38793261d5b3001733f0ed62ad6e90b5866a08558ffa0f567cd0854cabc1b35a409de8eb4cabf76c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
164844f5cf93376c89a87e41eaf24b53

SHA1
213de840ae12f8bc6c0f826dcb4ed5701830f2c2

SHA256
cb5d1b54c8cd3d3edcf7eb547e1acdc71fc96c279ece6cf5c86301fe3b2eb8e5

SHA512
b3cf6da72b46e531a7417fc62e7a223496c6196eee95f02c8f482eb79191a7ce814b17c6274e26f043c7e052352f11427c267d887ab54af7fcd812d821982789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
aa34c496351a3fcfaa30388e1cefdcb4

SHA1
29a8a97b17d10de165c6542a0f214a79a1798805

SHA256
eea99c49862376d60981e6d2f9b24a57e659cf7241322722ca80f7fa6a842b26

SHA512
b60a6167331868f5a1d90f5b05105890b332cb5ddd10cba85c080103ababb7bfdcaf31dcbe7d6626704576ada1597f64809f5465d0f087cdb04415c639df6174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
34129d83a499c1810f0947d8f0fbaba7

SHA1
1d67677a57998868b19e5a2c8a7a502b15b2cf9d

SHA256
9230aedfb46f880828a6600996131b25d6d30991351948a920de42c2563a40a9

SHA512
dbef82cf5024fba3e5ca036fb5c31caceb8b80a6e2c31de618211e5310e940a61de7774dac93888426973829ad70f09e0efa84236a88db482ab2dd84e49b8082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c454e1555752bda78261bbbaff7fc862

SHA1
5bfaa95d2514a99f395e9231c398b96f55ce8621

SHA256
7215b896d89a115d6b22ff56b6f9da96aa9fdc07f8b5af1a848ebbce290d1f69

SHA512
0a6c6f84a97cb717cf6eb3524f508ddbfac03d863c1f13621d6928fa713891344e2f88b0cbe6a421e4868b0087b0a0795bb37efe8f6ec1ce53b0cb855f6a9df5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1cc296aee520b3269fc71ee3162e244d

SHA1
2e6eafc9a89df93fae31b028073b9f287fb083af

SHA256
642f9e2751ee64ad58209b22724fb1d621cfbc0fbe745c56179fdf4cb3ccdf41

SHA512
fb0bdd0c1c2309461000f0e0e38aec54d5aba2549dc6c0a888d656473d3b55dc42e75d81e9acb26dd55290634317822706e6da56a3f7862258761e6e5cf33fbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
913506ef83444a33224a756e9ff8b2cc

SHA1
7b181808ea60538b5855d384d1f34ffd58fce537

SHA256
0e70f11e947137edda7ced4a7388011adcb6383193a0c2200779cd0406171712

SHA512
5d2c2855b774ae34779894f1aa401bf56236ae470b1085d0615d9234095ef141cba71777b19528e452a79ed5b56618b8674f600497dd6771a9ec6ad0bf0d4ed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
04fc00c79d317ca7128c7caa9249c378

SHA1
95c00f02930ce23a0996e54aaa911ba27004ab29

SHA256
652ebc2d274287761ce4c0d5478af5dc05d7c1caf317fc76cf933702de9fe799

SHA512
ec20e4a278b83a4a98cba1c72bed317db266c1a7e3aa0700826494af599cc87440816b8416f938e8dfb4525771965142d7e53de7c60b6e91567b9a128d9eebd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
78741cee3f6c862689a70f433e1699c2

SHA1
56853888e4f78ccc218d057c660d70731d883179

SHA256
1b0765d1fe12f116c7ff4aa28d36c5211e0aaf6bb0c690fd7a4dacb797345bdd

SHA512
38de74e5498c5920de2e036a53049c9e2ca4f99d0868e5f976026b92dea447c73cc6cbe17b1b4b8991a615848ceea7a532e984c3193ba038e0a058fcfbae13b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
69ec65ca9fe404f51e09e5746714b8b2

SHA1
737719a655dccd827794119ea07e42bad20fa579

SHA256
c33e1af2ae4ab781a34bc2d295180a8015da34b4a929c1dc1d3821f0bdefd230

SHA512
fa1bfebdb192973033d1695f1fe965ef0c0f6a271d4f74cf428c0fea3f61b9760724d114dc1c9398e8c66a2b21d9a00c40d0a33e77ff6208561917c610363bc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ef499d117bae910332d80d8f1b7d1497

SHA1
e670523b64cd2b81a936bf4e16ef68ecc7d8f9d0

SHA256
8ea3113f799effe2a059a680da195f99f6c4290752e0468214c3167fd4dba8e1

SHA512
e42b5a10da1966e539843361c349b3ff9d58ef143422a4173a462fb1748f1b45ff5dc8be161626736700878f85b76f4deac7aa1e96a5492893854c0792ad156d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5c68337b3deeb71472a91932db6ff3e6

SHA1
6b02436d40a685143092f7ce451424faa5cca428

SHA256
41b7c07a73786409aaf04cf34b6e480d18a08a5dfde0919bce877f9b9a00ff03

SHA512
39110a855b6e1a4eff42805737aef99d2a6b542fef0bae442c3ecf4bab262cb86bce9d229451281fa4b2a2fcb6d92c8ee6601d8989c2ac652a64f84bc6ee57bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
f57317ae896628ed7ba2a9c070359cf3

SHA1
88a4bd0530a5f68b8c63fd0e76a849c42129b890

SHA256
eb78175b3b88fed504c3ec6f85d8d2bcd2407399c5f316523040b6f2eca7a2d8

SHA512
1bf053502d3cea78be19dbdac8bf31074b0245d8b8530ca5d3df8d48f9841c662747ae7d4ea717a62606eee5f91fce55e20e6d2b1ce633f186cc3f8a43c2d6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
2888f18e8bcf75f7fe15b0b39021ac87

SHA1
7e0a93209c4a89f50bfefd608c77c2ebbb856738

SHA256
9927bcb2b817b53486c11ac16fcedb4c6ce869a8755f7b09262d36caf94708ae

SHA512
bb859053feea22e787d91aa577b58c444bdd24f0e9c4074be661408076d572000bb5bc16b7ce4203ac4e357aec02b4bc13cb5ae4ef048109c07f57f044349e8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c89c9797f510deaac74a28886a167867

SHA1
7f0139cf01426b6ee457d4b4d55e8566b34ac24c

SHA256
ecbcc2871cd9fb15d39b3758eaf90c5bd634d9b7958835a07416f5f79fb34be7

SHA512
2fed05cfa746fd459396f36a6af192c52d8967568fdab38df29a2d83d9353e1b71ca3a17313fbb93652334c23dcbb356d1c70ef3c1225a6f59d7becb5ffa0aab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
7b1182f0eeaffd8befbd97c1ff5df6e4

SHA1
9e534df4366d2aac121d583aad774ed8f3318821

SHA256
ce581c4fc89f79430d1d6efff4880849984e99377519f86af6047a7964f7cb00

SHA512
0175cd932bb62fa7257d2e6c48bcf6f86430f54e42eff9e518c85d9bb17d1e964b448ba03a87d54e47ced5d282853c39cf6abcc9249f6ededeacda76854ba92c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f967d089b1afdeb86afa6c30cccffcb9

SHA1
8b3e5c8d2503e77f70314c3584b833c19c674597

SHA256
21b4394f7ce46a88c39f07073d23ea6aadc090f7d5e3ec230c0fccddd4fe3e59

SHA512
28504b1ef46d9036c6bc9d550bbcb212afce79381288a9daa7bf193d557c4f2b3a5fdf3caa7a6f0624286d7db6451384d70e778afe52ba6d1b5feaee78bd1e57

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
77432c96bef3992713dd38e35a3027b7

SHA1
310fa99a3e620f4833551227001cb0b68d05c7f1

SHA256
9b35c6a56a9e483ad59c3c0b48838fa29f7ad64874119f9d02a686ea6df87289

SHA512
ea532140d7051319da36fd696e5ef66229b70182d057e45a8ea8866f43fc4798d3515309387072351775cf4be8352a0315e056245e5ffd72687c69d7c0743dbf

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
196a051d471d172cda04054297cae6a7

SHA1
41369848d05b0d15840d5988d0d6d741eb896aef

SHA256
bda0f0d46a951ce1871c1418b15ff91a7f567f37cc31ad8213f53d2e6ade1445

SHA512
a7260d96f637dd7cb14ce82dfa905123844346d064802aea0ee42d1a3936211433aa46e99721a22e8b5fc57a51d74f7d441938dce9ce7ff18efea65ddb2c22c3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
95ea466376b5a44929417eb672336f3b

SHA1
9507ffae9b464c9cddd040415a70564f0986e99b

SHA256
ff524c33bfae135f4a7e2041f8d26b805f7eff96ef392d382fdcb01c5de3c69e

SHA512
882d5048f8607fca87078809494424b787b4f4de32dfdd593b4df0d7dc5f05ce9dd2d1753db4050f8862dc34cab2e6671a927e2e0422048aead221a0ececa454

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
ff8af14d4e05190da270ac097b587c4e

SHA1
b5143e2d326056acd489239d8b5ecf26d366315f

SHA256
a08dfe167d76ba5b47b40bc01891638a33fa4b9429c0ed3bfffbfb753cdc637a

SHA512
833227273e9b16c9d556e291e76a92fc7114faf92e660f47a61e47dc4d855c7081b7f2337e2d4b1f589824a91dac01afa0e2e19922cf286e1e0993fe5dea860c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
71c66ff7e41421801fa406931d556ce2

SHA1
40eb2d74a0a0c9b7518c07a4adab52d8df53baec

SHA256
8e7e55d8120baaaf07a21ff60b8d8e86a9bb7c887612761cf65f7af2598d1729

SHA512
8a2b06a6340cf8e1fda294130d26f8df20967abc94cf8af2b589a50cc20410f02908844e9c7711406ec71872a56fd21df41905c76cfe5b5b6d30275f680ca918

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2564e03b4637ffa6cb7a7e83b775c027

SHA1
918dfde5ea92f3dae070691f70da66225fd25523

SHA256
959634e1bc281573fd3caa90744fe2888fca1c3eff706ad06827587645648aea

SHA512
0680b5c03e3ae571b55dd9886ef5fa9e60f2f698a43ade5c069d3e539311e01adb9189dbe9e3518afef4ac2bb17c4721b80bdab70f5c079def6aba3f96781df0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e119491d451a494c4a15f19b445e2ac3

SHA1
99e5dfe673219cbfdcd3e0e23c895ddb0d18328a

SHA256
5db45c498c56859df3df9122bca3238638e5d32cc161e1fc53f318b69a152a08

SHA512
c32ab918254efe8d764e8e8f49609d86232a30a068f994e537b263b61899be1dea45f584e8f6a079075aa01896ef34eb765e28ce1d1b649df880d65210b85fda

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
e1565923e7c9773739c144a02fb2e4b8

SHA1
7baa70a74bc1685b7495faf7245b48e09375daba

SHA256
7fbf02ac1589be5e3b232846a412ce71043754bc18b3acca0a52d5fb073018b3

SHA512
d001c3f39e65f0f3443729c5bba0316ce5a944e0e1fb848cf7dca726fa628ac36fe4ae31c8c9c3e7dd2006df952ac9985d389dc83b139310ef173a45e088776a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
81b9fd1eb10dfff876791edb891bcec8

SHA1
a0c7f60826865a436747dbae88930668d848b31e

SHA256
fd450b5f66704957ef93e91c06a6ca355d05bb3b553275822b7f3d21a4c297c6

SHA512
b555c1edd02f0d1f5412c3b2560751ac90e7967e20a564a4c25bd693ad2ce34e7aeb38b6ad7776bd269a88fe8f4d25255277eceae0c2d84068267f780af6fbe1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
a90927dffc0b50e2394bfc8198742703

SHA1
cd6fdfbbe0a6b0db3af574bf7765429c77030434

SHA256
64c2fba099d37e2f8cb0884c89b7d50f930a8a1cf2cc2c982e6d9fb23edb2c2a

SHA512
8fe68effecf2f65b93fc36c673a9db4eddc105ae01864c7d03473ba5861b87b74627d20a9905945eda9ba61277602ce0851a7393005f529e5dce92914b521a34

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
056d0f5a4ce386b9046b4bc9e93d52ad

SHA1
b1e4372af0a9b68ed851a0f44c16c97aa7987baa

SHA256
3cf4613588b7f50c2063f2dd53f94260f91fc9b3f85ba552779da4df16ca76e2

SHA512
ef358575a5ba3d45c1936328d87711ba3c3727c33a5cd9fb62781ac310c388c2aa89a972798a15c0a5b5855f21b22d0a4f5a91054517a0838addaca8a0934378

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
67cd00ccfa1bf5e424300fd09d0a8c5c

SHA1
f1daa993a89e20d09bf64e1dd598d338e8f455ee

SHA256
5388e2b0d449250deff2307e69a4998cbbcbf1138c1e49e0f75a93cd5c390f92

SHA512
7416b5da754a45d38198e8c95e6a6b82673dfd01e0639a2c6300c9a7bbd10db8ca45e23f5eb1408635f496130db09f79e99ab42dcf2666a8a68ed8ca345656f7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
762c9314e1dfa7b737ef3cfd3a716e5c

SHA1
c14d7e089e4709e2d44090373409714c44727969

SHA256
51b6d93369a03b03043635df8a14c3d1ccbb282ec64eca66cd15d90a811f4f32

SHA512
455a140eadde4dd88abaefb63669df8964ec3f59103b4bbe008b743b302a3e4a36ce2844b54eb8b7f7259d352bef84cdfe697bd05fb695c5543c103d0d16b2b8

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
0ab4364d1de9ac0d2add80098cf68e11

SHA1
98fd68f547342e2fd8c296bd6c4a5c9473a8ef45

SHA256
294d7a61d19c0a107d309e5eeedcfa82757d2be3afdf7b5a2de317c44144fed6

SHA512
ab3d4e578ddc1c5212aa32bfb07619b3566d59b9785abcbb6b8ff77eabec0026d4beec72dc2655c9f193f4837f97872cacce196b1534ae848d39f8734360b9d1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
5d99d16c5f5c6f64cb4c0dffb09dc52c

SHA1
804b7d55887afa5add34f9b1ea52a6265e023030

SHA256
09ac394cfb1a83ccba54dd2b2c78c6c8e38a7c7d33b0a7b6179f6a0ba28b40c7

SHA512
a6b6e79c7d1eacf784c3b275c8ef38f0903ff56d40731ff7f6e1380772fd09d183651d5c90614698124deb0220bfd123bad1c4c7e9903124358b0cd1838ba489

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
6a1b7a87aecfb6de486721b0c00ef9c4

SHA1
d72a5883dc555004bf887b9eaf52ffe6ea25d7e0

SHA256
00545e72d889dc2804358397d4d42bc6b16271422ae7ce78e951214d68f64160

SHA512
252644eeb4161fcc0869e54d6a2af9edadbd1b49a42555b96cf3cecd643f27c892a7df14e6e2bb01222311b5b32afc434ce6c22bda3e834d905322f2d34ad16c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
bc4557f8e3dfa57f9b16e62655a5fa0d

SHA1
8e30d832e4fdbe9b46275ba81a1ffbf7859922bf

SHA256
3fb3faf0bb8d364dd46d5c8d31bb3dd234633ff2c937c76a0d8b5fc82922a78c

SHA512
e149381c46fbe31bc1329a4256c1034d37ebd4d8b71e1acba99ef5ece508a080e65d4434626ef09cf77d24bb0a4ff2163972c622f3d859bf4d9860e3bed378f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5335fc919897a4b7ca2bc84e2ccdaee4

SHA1
c3e16473701154f4307a9ae03e9c91d771e69cf9

SHA256
6ea9e091c9b1512e26ea61a333f06d0988ad951706f2e3ed4623b96052069bc4

SHA512
e0c754f2ef7152b7032be55baf294a60d8a934eea30b2cdb7e51be50a8e6d5e6ec85ed9c261608d2990f98a658bf78d5b36f25ae2e9c8b978f58e482545a63c6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8e97dff61b81a97bbd9671467044730f

SHA1
e12b40e6313d120fa6ba9064beca47ca962066be

SHA256
7f02eaa0003d0b6723ac3f45bedf90813760725a905610c1230543d542c5e264

SHA512
ba15b387029d6d380d49a049386e871342b3c358a23524293a8f40f825ba7de60184c5362dbbd19dbf5be46d2a33811cbd197cfe931f603f2d4beff70de6c5e8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
573405492b38dfaec87051fdd1db0968

SHA1
2815419c48efa873792eb6ddc932b472e3058f14

SHA256
826c6369c7fb9da02c0827cf1bb81d22d0e093c657fa61ba64c62a1d98158797

SHA512
8e385ddb21372fd884ee0be0888eef16558aa3b30b82c7587dec9f640d2a3396d61f20761955d8cb004409181cf0db5047dfe45030a403ccac32ac490f5b6096

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
97e4df78678dd337df5161ebf0607e69

SHA1
07c00d7de3bc48ce462e1336bae29a023f5cdc75

SHA256
e9ca559280f3f68730421155b08e5c4083a2cd9722c5cfb1bdcb1682cf3a7bbb

SHA512
58c67e87cfa6758284f67be5187447573f7a0b0a6df45c4b492f57ec430463b81e65f110baf0746bbd3bdd2911bbc60038d6bb96332adaa89b68678ba968b463

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
aa89050991a46d2a50660b1633a5ebee

SHA1
0486a27a550e73c6dc2ad22785330b9d221488bc

SHA256
1c611b825627b972cafb0df2ddccee3978eaaf43c3436d5561615fe7e6936d7a

SHA512
6feff513f4bf562cb575f78294346fbd62496abff612a0b020b5280c3a21d40d1252584ca3922332af0c5a538725b2d97d5c54195a3157a300a155da8c860f5f

Download Submit
memory/8-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/8-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/564-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/564-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/564-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/844-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/844-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1000-521-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1000-209-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1188-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1188-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1388-8-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/1388-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1388-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1388-0-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/1456-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1456-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1456-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1456-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1956-43-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/1956-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1956-38-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/1956-61-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/1956-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2548-429-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2548-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3020-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3020-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3092-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3092-520-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3316-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3316-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3316-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3316-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3756-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3756-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3884-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3884-80-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3884-591-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3884-74-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3884-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3984-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3984-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3984-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3984-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4184-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4184-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4280-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4280-596-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4356-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4356-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4356-86-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4404-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4576-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4576-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4576-48-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4576-54-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4860-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4860-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4884-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4884-590-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download