9341eb1a2d695113a52a900b38580ae6320cdf49a86d2c9ece207282afdfde30

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Size

1.8MB
MD5

a37751a25bcaf1435addbc73734f2c37
SHA1

8288aa75dfe4d570920470b2aa00b5cc4c8a6c0e
SHA256

9341eb1a2d695113a52a900b38580ae6320cdf49a86d2c9ece207282afdfde30
SHA512

75f4daa7f785f6634c9b8dea7f8dd28719a7f429ed7314469feedce27ecde137f591214f2e759d8c7c1f71107357715d711c746ac384e39005bff3d94c60079d
SSDEEP

49152:jE19+ApwXk1QE1RzsEQPaxHNMfgDUYmvFur31yAipQCtXxc0H:k93wXmoKkKU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4872	alg.exe
3120	DiagnosticsHub.StandardCollector.Service.exe
2980	fxssvc.exe
5048	elevation_service.exe
1160	elevation_service.exe
740	maintenanceservice.exe
3280	msdtc.exe
5104	OSE.EXE
3124	PerceptionSimulationService.exe
4364	perfhost.exe
2860	locator.exe
828	SensorDataService.exe
3340	snmptrap.exe
3760	spectrum.exe
1344	ssh-agent.exe
1544	TieringEngineService.exe
4168	AgentService.exe
2388	vds.exe
440	vssvc.exe
1720	wbengine.exe
5088	WmiApSrv.exe
3444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\64ee046a8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a9ebfbc1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f50b1bc1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da23ccbe1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a63bbdbc1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001af251bc1daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056dc7cbc1daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddb0d2bc1daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e93196bd1daeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe

pid	process
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeAuditPrivilege	2980	fxssvc.exe
Token: SeRestorePrivilege	1544	TieringEngineService.exe
Token: SeManageVolumePrivilege	1544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4168	AgentService.exe
Token: SeBackupPrivilege	440	vssvc.exe
Token: SeRestorePrivilege	440	vssvc.exe
Token: SeAuditPrivilege	440	vssvc.exe
Token: SeBackupPrivilege	1720	wbengine.exe
Token: SeRestorePrivilege	1720	wbengine.exe
Token: SeSecurityPrivilege	1720	wbengine.exe
Token: 33	3444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeDebugPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeDebugPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeDebugPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeDebugPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeDebugPrivilege	1440	2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
Token: SeDebugPrivilege	4872	alg.exe
Token: SeDebugPrivilege	4872	alg.exe
Token: SeDebugPrivilege	4872	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3444 wrote to memory of 540	3444	SearchIndexer.exe	SearchProtocolHost.exe
PID 3444 wrote to memory of 540	3444	SearchIndexer.exe	SearchProtocolHost.exe
PID 3444 wrote to memory of 3664	3444	SearchIndexer.exe	SearchFilterHost.exe
PID 3444 wrote to memory of 3664	3444	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_a37751a25bcaf1435addbc73734f2c37_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2016

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:540

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
28afc0b8a1215b8442186fec3f929f67

SHA1
d019a0448b4e9c7a2a7e18726e6de6134ca59ef7

SHA256
caa63bb90fa440ce23a9d86c9ae2b084aa1995986c50020a520159db2202e35b

SHA512
4ac44f5d5aace6df89a60047e312f536dd7b484e298323f5cc59ad00d09a93b6dde54da4d34c6ff7dc1e72f82ac7f1c28a0af59dd4faf97b0ee1c13625228f1f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
ccabc0e2ef22c592ee4bd455220302ac

SHA1
4b54997a93ccc9bf6311defeeedd89bf5803646e

SHA256
0a4d409d675709727d0f3c6d21db782698192f242c298a025e66bdf4dd8a9b95

SHA512
b5619da41c9fe2983930bae2fcfea175467cc989f8d8c819fd32dc950f4cf3a554c7aadd6d140e3dbae8bf0225389cad5d239677f3143db09db8e4a53f4e6d59

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
94164a824e634d243e825142f422f10f

SHA1
a4b0d818e871697b35fb9f7ae1bae43220b2b9d9

SHA256
70813f02172ed379c03dc683015610da28901d86c2a5b0afe3a250a4f8959f32

SHA512
79d99c1154cc13728c7d32877d48664a0d0adb4b87d092dd508eace9e7752c092a1e58bedcc7b3331a22e8ed6706a8124794322f2c6f5c37c66f222f9bf38574

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e7900c1763f12eaaaf018b823788956a

SHA1
202f993fc3062edc07ca1c60d1d9e78691e60c1b

SHA256
8bd52a91656b1d1c77fc7c8a4f4d1a6cee890a11470cbdf3d011c5d98f4675ef

SHA512
ef6a2c5702647dc4cf35f5c7bed60eacaa6023aaa6b1d15cec564710300cdc71c514f33b0421ecc240a60e39c5a00efbc0924f616b03c3f994c50bc1bf956905

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
20f5f2a3b8dd2b01c34ac330107499ea

SHA1
9237dcb5ba21bcf96235d8cb03adbd6a03b6e216

SHA256
a7eaed770501997d7d6c2fe26a4f170a6ebc775de1ed58fd40e3ab4c497285cc

SHA512
19fc1c757cec368bba72829e8db65844d88a66923df10a99ca1291925a6c94e1066b15ae365f1903cc341083ac732edc972ce5b864f465af7ee2b9341625fcc6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
aac0f194335095e7d1199c8d05b68240

SHA1
a09f3ded0b62c609f05529e777b6b802090f57d7

SHA256
6e040178b1c89d7501e98194be7ff004a34a8267736e9513eeeceefac9564bb4

SHA512
f43aed65b37c71b864f99f9066ada9d852eea6f7c83786985f28afd537498ce8c106034c082fccd030bfc92cda0afa1ddb36b69a9aeaf358bf55e849398810a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
dbdc77cf8f13bb02df76cf4596d7ee5b

SHA1
3d409c123b7b44ed4143a8437f90c02e94bd6607

SHA256
af694e4d4713d68bef773e34397216dc7079254b7a113bf3b8af9e8e2f9ab554

SHA512
142385d9ef8b13f02a92b75027a241e2041639ddcd399427917999589efc79b4908b64863aa007c1b4e5896b13d5143d0cc162b73c19bd88a4b614753edd06f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7a2b539f14a7dd7074bdc8f0fe017310

SHA1
1dac2740812e3a43a9e7c274a76717983b4b50e8

SHA256
793c308eb22a60680104033750d30fb0eeaa31bacfdf57e51fea9cfb55644040

SHA512
09aca14ed30fcb5b0336be81b7d88c9f1b13ecde21549099377911c818a316b3ee644a6e290d24abc08226bc312ce4eb4b5c70369eab17df5c491753181d7023

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
80e89021fb69680540fc2c98597b82ac

SHA1
0660296312f882aa2049e696c1c2903731f6a9fd

SHA256
0f7d5106d2ee3a6891c1f217a0bfee5f3c1004803935e2a48a39503684f848f2

SHA512
ab9c4d9226d0eb37f03c3df75b80d671676a0c4be4ea74c54afaa0c672068c882c878d3ade2f104a5721ce1d6133e7cd3c911ee6072012e2189b71441fca208e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f5aaefcea432a05386930811ed765789

SHA1
e273c7c9eb497e04f807878d581e07cb06035952

SHA256
d219002bf48753d705539261bf833956b4bbb729d986ed6a62dd3028f265bcde

SHA512
efcc527f7a82c164ab94d503014e64a4fc0c28823cdd56429e8db4449c9d8c91041edf601bf79856e14f935cea99ac82a228f2095b7370d2df0f71edd5f67710

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ef474ee9943a70c99a6f50c11922df88

SHA1
7fdd49a9a91345bd6b0240ade5ee67962de8397c

SHA256
a81b1a394cfe6add36278ddb3d1d54a6e8136c7390707c01f2965f13ebe4b7df

SHA512
3bd3e9b52856dd4068d3e33ec5e12568f53f85ac2be7c29ceaccf18823df5d854ff01120090b25972bd10b01391b56bec1ed222615409455396d753af0ba889e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4e38b3e85bd379bbbfaa7b494bb75aa1

SHA1
f1617646668ecd2450a908c5abd2024a20e76343

SHA256
7ff2d1e83210f8790a3e9aef5aac731ceaa76d1879de0bb0c30099386d9dac95

SHA512
5ef8fa1dd166afd17e41aa224b7219e72d38d5a9a6f11e145f65ac10e24710b5482fab332af7a2482b7aa1d8e392451f0cdef96cc9f71541ae931457f00959f8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
e4cdc6f221fc6193300d03971c5728b4

SHA1
af431d17a8ce590655180be3a114918de7c772e9

SHA256
d443e6c3c7805649e93c5c758ac06e75cf96d5bf72314077187b3c1ecda9dcb7

SHA512
ac8f801eb71453f830420c26661471bfc036bb013769ba3302fe9731538ce2419d615ea420415d5efed00453fefac7f7cb0c933c7a95fde63e7f62f586ce5bdc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
49d40336fda5840cb3e3175e433d58d3

SHA1
7b6f78fb81fb41e265b83d8a1b45a93f212c53e0

SHA256
ef351a864300f3cf2b3d5505ccb209a5c3baa208fd850618dfa0d526912f85eb

SHA512
61997ff5c5aae7ebf91e3b115d6a466124d4cca808e88fb900f641a57ae2c11767a84fce77c281bd8b286e1a62b0e937008c9cd9c476ee43c1915d8d8ba7c961

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
70182869ca9e6acef97647f9b5ea2b59

SHA1
335e105532b7d8114a9461f7cf59565e9badbc35

SHA256
d75adb1e3a3f4fc890190513e6d3016d1dbf1d91fce21e434e3344a500d9c848

SHA512
bb654edd3a7cbec485994f20f5e7a50bf2e6eda97a705c78e73ec0945558ba930e42b7c692a0647b7bed3567e449606ef54603d061feb94f8752ee73ed4dd528

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
e5c74208c37da498867a91a372a1c4be

SHA1
7374795591e70dd3f2ae1597312dd40ba9d765cf

SHA256
dbd59a49ebf1aba529b4e78d7371b28aeed9c646c16ba1f42b74efc3e178b09b

SHA512
a27f4059aa78cb143594b1970ebfccaa80ae2139c82b6db4e74bf8fdf80f635fe52c6122ba2ae1b39280a7a5027e51687f7586a65b3c3c1ae13a13436de4b566

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d28ef9593a218f82014179c6b0bab480

SHA1
3a2fd9ceae6a94f74b59f6cd73c307961b967081

SHA256
8b72dccd600cbfaacf4f9ea80a13a203aaf717bec7d2c015f0cdfe6bc45267fe

SHA512
39d9cf8d31ff5b64792426edb20c0822bec34cb18c94478ad7b3c6473761cac451766b50f77e1ab599190bfdb95c1a9c32feac02546722f4cb2e1626b76414b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
fd37d6e28bcec92598befdbf39758e9f

SHA1
457efe6799d1b3fe3bc06012fd7bc35abceab406

SHA256
67bb228ae5348b211ccb56a46bc51b582e85f94285ea1114efa492554e392ccf

SHA512
cd534fef5cc00364276c88ec14d8743d95e227987fbf6893f2f945acab39b5eb934f6761475b663b7ed7592c446eb6bf79f370093126b024895e149a1fa1d134

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ce48a89fb151afe66a3277f46d4a01dc

SHA1
434fffa3557920e4e666540d74d529a8aca63495

SHA256
8d0fc1661e375bdf0891cf214166927502c786381d6dbf80e12c59f1b99bf708

SHA512
afefff0a9542d96fc444fede2c35633d31870c26b43dea461d46700caf519905973bed1716fc78f1397d60508829422795c194619eb93b1c77d20211474a1666

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
af714f5f7f1a90bfd69a506b0113c8c2

SHA1
2b0a2a3b7e89a92b6046277a0f85f06d704c850d

SHA256
872b11f7e4e8f451101435b1fc8a4394ffe12c9293caa3b7dbedd871bd2c158e

SHA512
a3fc7aabf3c0612ce0a0e22bedb6f70d59d60512f81f059fb11b2bb7bc3a8098d8101747fbbbbd2879a840aa3d735e4e10e3cbeb2cde78b32311982a465ee6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
3b060319faace81b4adae75043216210

SHA1
4c7439a6630111d20280cb7d53e7a7773a736064

SHA256
5a6dd87c1dd066c1dc56734fa61f38c2b9fb19cc63f1ce08eb0840df39893ba1

SHA512
f19506854a3e11e6e4200ef25029086b58cc47cf368232a10dbce042638726b0151367a34aed4eda4099a679504f34c6be207cd6e1213cb36c21c173ac9f1561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
db07865f2a5fdf5598967ee6dad9b55d

SHA1
42765bed1e48e75993699a515227b7174fec8f51

SHA256
b3d8f55caefad17996ffaea84e369b21dee9d44853b9a7706e932ee1996443e9

SHA512
8cf73f6cd43c550f4928bdab3af93f23d3e8ae647b34a3eb0fa9f0bdcd44918559bc5d1c06f07ac872cc1d80e7caf76ce85d5f4cbca37e1f702d88fc9b1798be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
7142af885cfa68bcb2aa0d0e0dcb7852

SHA1
cd366273734d2449113156a741a463c9ee42833a

SHA256
e56158c7d3c97c49e52e4c2b91ff146423e2aa8c4f22dc4183767a2a64ab2df9

SHA512
a9ee7279338591b5622366d3b66fa6c1544ed2966f6264e1b31b86b1ffe6679e6b138c825a2f34829450047c81988f08658c33dff266edeeb7b0cb8ae7c11a72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
8e42991a95b86b693b5ccbc63f65e74c

SHA1
6acbb0577d7889b3766b96b45d3d53401e990981

SHA256
290169a8758929ca0608d0b75d228062b87fd04e22c9e0750e9004084b7744fc

SHA512
c8e5a3f797d07ee4969ed5724b7b2f26de298ce9f1971be7bdcaf1ff6bd6df29b75f81a77db2f1e76abd4e052e7ef0a390b4ab6e3a1c0ecaf91897fdd2ad06aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c7d66329bd7a602b81058d2a6ec1b022

SHA1
e14b23667aad17b998a3f55150c3e626411fdd70

SHA256
6784cdacd6b9209727133343daed914dd1bad17f6e1401317aade39bb69474d2

SHA512
edf2f2d597896412c54523714b17f556b78e01bc297a5bb7d9a1c50a740150e4baef410de84b211b1b268b080f6f1f6c93783a41e5b10ea844af27be1d47e23d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
cf2fc1f860ec04adf59109cd7c229265

SHA1
e3607244658d725092ccb23644ca6db9e8eebd76

SHA256
97a654a685512e348f2912c288c21157519e667c53386758834484685eddef71

SHA512
3aec7092b104931ebc08fb925b82be5d28d2fdc8b3e6c65783f33b0ed7a05104c3a8f5b4fd107a765cad8e33f080242d188b21644d86041b905282aca1853a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3a0aea3aa1787ad96091135033f46b3f

SHA1
a72badab8266601b2f092a348dfa831b41c9a919

SHA256
ce2552eb4e9fbad547e27e3d7ff921f5ac9a96215fafac30a8b4ca30b5db9b58

SHA512
e7e0cd3357a48aca1505e9c79cc50d8e1c73e0f3525b1d1114bb66a0cbf9f70385add4d39f9dcff7fc6f366b2ec660fc217d957b15a09ecbc74faeaaf838623e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
e594787580764cc2db2d9d72e7d7fc71

SHA1
b6965db638ef4dd24bf9555e4c0c164b55034c4f

SHA256
5d186c5538a203d4762a7bc0c95c475ec71cd57af89f662d6d22caa34f3d97ce

SHA512
665a9725105d6f5340b23e8db748df595a1cd8ccc02093e7e09400eb35cd9ecefb69bd7e325db3e5ca641e1b18e9be5a7c4cce6255c8d83dc3e97a391ff49bc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
e947cbcf2409e9f4671865b67ecb1895

SHA1
a24e951797c547772b96a7fac0bc0f5ac9d54cd0

SHA256
cf30478169bd7df13e1b8438f8ef839a1889455dcf6031f831a39726531b72cc

SHA512
a2ad0bb3db014200c79bfa74c3d9f3c4f6c042821c2066e1ee9021ba15b1323187ccea4d8ecaae89cfa62cbac1c9b594dda295e3f8a8688eca516af745088c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
453e44e61a3fbd17b526f93440edf7e1

SHA1
1e92a1f91050ed6838c3266a23121881cef556a9

SHA256
1d1276b39bbcd2a98d8aa4fb8b45d5a887b8a0b4f4ad32b427100415b7e75915

SHA512
51672e039c6a36fe7533534e4ad19143835a6311d50ae14ab40983c42028c029445b475e9696eb1f18969de723f54e62f9de5db0971c939be5e991e41480ea1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
160370fdf61d86c3303f2df4181c9ccc

SHA1
998e64262d024c07aca5e6c10b387c6c1ead5060

SHA256
99e96e47c445b5f8456e0c9609a89b6bae3c2d72c8dd99ec345c52a74b73ca6b

SHA512
31d39a0669ff4a9b1cbd71afa99e4c37b8af0c3dd06fb65fd3722a8475f9d64b09ababe6b628431be0ee513afc55c846508c139ca0a3a1a75f4f23d02996c531

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
60bb4ccec1d871289ecc84b190e49396

SHA1
e15ccf860d04b321c827f24a448d282b085cfdd6

SHA256
c81b633285d7cc517c70dabfb94449ce4c48154591dc7de9a1cccf32823d299b

SHA512
3210ffbf8871998d1b217788278a8b9ee3f63fa0a3936504b14e2b30a3e0cb17054d4a0675db5641d1e90ff2f9cd1fa8494f6677e98b0dc9499b8681ef86b086

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3cbee38eb2024869ede1bf6b7e050ce7

SHA1
263a84f624a987d85f9be0a6a51862b0add79486

SHA256
c0fe5791a9586a008e48df356432878eb904c1557b63ef716988286947b2670b

SHA512
0618eb322fef4c860fc2369aa06bd8468d618e04698b28600e8c44b5b4a422a5347fdb24c4314e19cf2793369563bb71e12b24ddc6df4f389630c833e6048f6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
84571816b38bf0a0bb0564062059c441

SHA1
e9cda4bb9b5d505d520cefb92fde696a6958f799

SHA256
8af2afa9c52dccb58409df5e6eec9f9122deb63b5d13b7a18f3f43c394fc1927

SHA512
804a423187b8222ce476cabb8faa11fc6d8c6f639a58032d249971d0552cb32432a7c7687ce170153c2b7bfe7087599d3fe60c460c29afb98cce3e52494603eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ed9532481b21a90fe52c9db721c02ff6

SHA1
159d1c2a1715d8a20a6e1af59529e0222a38eb88

SHA256
615179f2139be5d92113d4afabb4b43f544d910b34013c00da9723471d2eb433

SHA512
302f7b21bea7a5291278c7759cad2714b43ce01055f6ab5fb02b999e29db4d4d277f65eb51a0344b8d304cd61e0d12e99e6bf64bec4be96505ef9c820aef8345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
144aa212cbc7dbd9f23ab8c8f86e7e28

SHA1
9094aac9e7936f4b3a36065a54932374e6f4168a

SHA256
5656a5c94f6bdc98f7b9cc1d1e64f9dcd1e941721fafb0e4bcf21e1fba6a9c8d

SHA512
b16f046cffcebb58bd9dd44b517aea816fbb4c8948114a9ae0545ed35cffe0d492fab0f7b1b02e105a7b35bab9049c5ba61b3e05720b6c89bb57cd2978cfd7cb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
98e31df745871c3521257de4bb8b0140

SHA1
7803ffb4c77dc7773b100b144521498cc412229f

SHA256
926edb5688296af3360ae0a7543c4c3718582fb089abdf2a18ec5a784d966f84

SHA512
4939f428ea975f748c87c8f55e6e9935db2036ca3337af9ab0f267d08a6188025f770e361d420e2b11f285e19f221b6312dbeb2e255727522b2c498683d6c9eb

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
40b1dcc892bab7a182b472bc871c303a

SHA1
1401d2362853a39c5a7e4e27a3f3e737c49c7020

SHA256
a47b358c3fb4d0f192d8d3fc3d23841b4eaaffa1340b7ba308820cad7c962067

SHA512
c176ef27b1c119273d1777d38884299bc4bf739a350e6295c19181a07ca33f662bf57336791d924facc8f3a314ec6b74ba3e3c0312e83ab7d215b436bc0ef77b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
b2c1241c0efe56084e553ab96def09af

SHA1
e04a61ab6b65634f083d2b11ec93ee182bf95db9

SHA256
49d0bf40b21bdd85c50335a1aab2f45cd52eed92e9bf0094e5578220428c1f46

SHA512
39b0cbcac6b1888e4c1e52107690c85c5fda24d23365ee141f2a022f6f7993fb4f94b76479ef381220e8f4efeafd8d1b59c643d4190154442875331651e8a9c3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
222cb3d80296a65de2551eada99d9c0a

SHA1
85a73bcd42bf95baea060bb7824c91bab8d4f94c

SHA256
8cf2b486950e16482e348978eb7f6f836184fcf1a5304fbe50bd4c4701bebe1f

SHA512
105c85f2f562886ed2d368bbf086b27b14b6e45270b5778de994e2c97c0eea511140ea1126e46570aafe370ddacfa9ce7d404c1b8fc8d4d9b2ee16f82cc42bf6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
28e8c26bda1f709dcf6fad29c91c39f6

SHA1
f372df5c31d733717cbb948121bc1f9ebc79fb30

SHA256
54a8537e3e733e9dda5ca91345cca55f6b2d66c445d31bfa060ed7aae7fa8c62

SHA512
134ffa2b7ab692a347fcdec0ffa049a90fe3ff0b28fc209458fafb8d653817aadf057ee3c55e48c6fd1a7eb5b8ea23d1dd76693a3a6f300d5212f3e8d5123974

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
85b84173f09404213266b0077d4f09fa

SHA1
e521ce137ec312ea9cc7b66a74a78a9580ed547b

SHA256
10f22c423c1b64580f9b2268f540bdbe62bbfc49d11b0df5f74714e4621dcf3f

SHA512
b6132e6e4c258bb4234d22da3ca31857e75b0bb7aa483ad212f71bb893d5ce0361edd93997f1a5a722908b2746536be35a9ed7517fc304e8fa4f1a18b394ffeb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2be74d27292ddb253f386d71940be11f

SHA1
e7e328f16ec96b7170afd397796918d73869efab

SHA256
fb17516177a2aa7096ffb2101339959e47b8780b0235974c95c5458074f59c64

SHA512
42c3ba61d1b1b1a8d95d9e538eea92e64598e1e6e7080e8f5a92b14480311457682557b6cabf45ddea50689972ad7fa78655105e9807eb04ef7bf7d06bf061f3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2c4a83cb594c77ffd20e0ea8a4875b4d

SHA1
46dc5d5d4e1d9f73d1b48882350f7df0115b7fa2

SHA256
b7a324080dabcf17287913a92128f8908454ff0cd5bb196686ebab260e21bfe4

SHA512
41453aae0fe9b617460f8464fb3e3dbc9dea341b0d2870623989b6ef74f29dd73e3503adf23f1b26ea10f27dad2313b76c4b01c15266f94b140e2ca1f0f62f57

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1d5c657df5e97d61363328097fb6fb08

SHA1
1830678532166381e474b4e2fcd63abc38ea6be8

SHA256
d637311319cce439db34a82e5f157027707c33086071b2f412371ca7fccf05d9

SHA512
fd4f9ae311910ec20ea9c02c487073ef4532aafc32898d1ddb07cfd7680358b0107f0729bc7cf2613fdeca718fb3c122c42c3b5f1d7d68c3b81a924a25ebe426

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
cf3d6ae480321455e89cbc4624e12dfd

SHA1
7e34e12fcdfb1dcba70bd7b69bc88fa017359649

SHA256
316010b5a0bb2298a59b2dae71666df6cb1a227dbd1704e3631d59b7767dfa04

SHA512
abba621c75ab67708a503446d0fb5fae96965fa18529bbfc8776513ecf1a66625b8112e4f2736168329196f737996b5a1653d44f81a580eabea5760b9c9d2a26

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
76adacfd98b91cb39f0aa26d64b0becb

SHA1
fdf1cfd7a44de2635cfbd452526c28a724a4c81c

SHA256
0df138cf0a2f1bc88ad6806f601a9689e44c7b08c8db090135251b85c43e89bf

SHA512
d3f80b36fae15122694db4eacd20353d146f5d0231f6858a10ee4493cdd55ed62b77114ce68a8df41bd9fe37b5f481c61efbd68b0428908e57db6f0d8633bdf9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
3472e3b616ae552e7625865a43f08b41

SHA1
058f5ed4c9fc6c62f819a36b5a4c1c9d024e715d

SHA256
a2951aeb613e76cb3eead28c94d79381b9735f2f1efb0ceca69974d6c0e81932

SHA512
d50c37a7a78442cebd4e645010166fba92edc266ebf9627187ddff00696f2a7e4a47cb46e0056f1f4295dac9738d6d466383b0ec8fb8725dc26d016a518d8886

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
c4a4bfb89110d8328047968235a6d438

SHA1
b30d3531b73ce6660afed9074478b56b350e0974

SHA256
0211e433aa1eb58a12e2278524eaeeb46240c8221f2c0cafc365bd8eeda4e22d

SHA512
a0bf5d6595f2fa58fa58b4f5a67dcabb2d22f1040d32f74c7052524e8cdfab479e45a6b4b08b03ec91d302ee23c7acb3a7d6745ff3e40fd564c626a885e453ef

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
bb37dc8b12401981c6fac9a95b6aa9b7

SHA1
be845fbb3f2ee4cfe4c0d3d4af9f61674940713c

SHA256
361aae7a138ba172fb5ea8842c0d558875407dd52bb95af58cb83cca47755ff0

SHA512
420cfb6bab3bf53c0dd0bf8b00a825cf0637f53074f13569be9ff9c10f6c82e978de79e5af93e645a887b37e78caf001f353634354e207c7eb171ea49b102624

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2427f6441fd8cad85592342de17625cb

SHA1
3cfee6496fcdc565048a7f2dce168b71d1d0b2ca

SHA256
7dc80fa189c3b8ef30d7ea1ef65babb3e31a8cfc6f30b5ce5fd7287c0d578d4f

SHA512
1928023b4083497b621a5ea497accc68e987001a21dcd2af351b561b9f5f43bd4ee80ef7892e574654a2438aa22ee72266374f13966bcdd94ac1e31e963eb3a9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
49be182ce104e3f82a3777b04688479c

SHA1
e913c585942776ae8672b981c063b3264b36cdb2

SHA256
a5eca67c00a9820960242aa2b292fc3210ea1db90152b6e4f8482878daaad8bf

SHA512
4fa7ab4dc96978155e23f0adf47ab947d617dff66abf0ba5755fe41ed2e1df15c1e94a854747219007a70bc299cba7ab3fdb5dd7a482d2fb5ce2c6cebc8016bd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2573d4cec2194b11f75c4df00f233094

SHA1
2ca009b7e4eb6987865f0a30a5897d22d1f44cfa

SHA256
c63a0e2ea38fb9dc72252e37d5bb08365dc17e49ee2576f1d69fdedb6b43859c

SHA512
07178fc0af3ae5e6cf9f71fb5530f84440306b579aed2414cd2473e9c06eb319afe2238d978b6b75cb138ad5c3b59dd40f7598dd8cb1e7fb2f6e504017ed4ba4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
05f109fcff8b1f79f66e3406a69a0105

SHA1
082f7e1ce00863e43274a77066a1fea5adf09d64

SHA256
f13bdb880feb12365b418a4660822671e6eb38b53be0f8907a3e6e6a1f50cb75

SHA512
64eb6dd053394dce208e7fbdead4fe2b1161efba0ed3fbf141090fc4802e1886ba78f876c103f783cd267949d0973dad193c366a75220c2346db0bd88c7f969b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9fb7bf939e090604657aab6499441fb5

SHA1
7dbd9ef67ba8c1699db34ff701a8d90936650841

SHA256
de4d8bd5ac4b04b9e8d80e81d26c3fe7adfdccee39214c255017c80c861cfbcb

SHA512
4f24afa95d39513b2259527ff44e9ccea2e743d5921a1c0676b61fbeb91c293b46a6dbf7fc7826b96e788b8c1862af06c869a6253eeec6aa7a784e0bcd35089a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7fe9bad4534419acb4c81206f5bf63fe

SHA1
a9635bdf47708fe9f8795859cce526aae9bf0041

SHA256
10132d1644cfa80c51229f1e18a3cbae84fad91d7bb94f2e8e8d7dba661b7e5e

SHA512
486f5511e6c68ec674d61f33b23e7cb604d4271816f8b540a620e2fcfc8721a84b6bc4f333e22764a66e1b64f449fae4a647ac7351bdf02c74c94713c44e9223

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a668963de1fcedce3fd47288b6b0c037

SHA1
948ac140314e7a22da2e6574cbf10bb8f1dfb424

SHA256
ed9cea03e1159781d325bf6637c2796de973e50a4344e820b57baa6c876c17cd

SHA512
aefd7d6449636d37e8f03f4cd9baf6e80237eddbe00df700258695acd0aab3f1d4260e56cfabfa94a46f7c4d62ac98ebe4698039e30deb26ca6d125048a7fa98

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
2463958148c5eea6ef2a53158ddc7168

SHA1
73af7107841124af0e1e4263d80a016c21d9262a

SHA256
64689b10e3041cfdeea46d7e07a22a1eec0682f7c612c3b847c95989fb15869a

SHA512
49e7d56039c60b77bf10de1e8d169bce5574908d88fab492c2c3a62b060830efe30166713881dca1b7e630966345eb3b22689d670d32e6c5588cfa38e2625cbe

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
52c991757c9debd0e5120d4651af7121

SHA1
7d8113ae1f2ef5f2a1ece9a2940b957b6beec19b

SHA256
081b2102a5b810a0c60131ad85746cae301e3feb37dc4ff1118481fcac828998

SHA512
c3a3c66f57038e9ede4e8ffb9f7d8d588cc30ab4635cc26ee64799b2b35b9afd4f6526de8e078d1314565fec1395a6b92e38cf9249d9304b911e5c3bbd4b8f71

Download Submit
memory/440-549-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/440-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/740-85-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/740-194-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/740-81-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/740-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/740-74-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/828-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/828-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/828-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1160-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-193-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1344-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1344-542-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1440-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1440-80-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1440-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1440-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1544-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1544-546-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1720-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1720-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2388-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2388-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2860-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2860-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2980-48-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2980-46-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2980-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2980-37-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2980-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3120-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3120-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3120-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3120-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3120-121-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3124-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3280-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3280-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3340-455-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3340-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3444-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3444-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-493-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4168-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4364-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4364-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4872-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4872-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4872-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4872-98-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5048-53-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5048-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5048-59-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/5048-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5088-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5104-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download