1c62cb49c4b1095d8b5e3bfc3e1c2319ad7271271de3894dfca84bffaf0ccd75

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Size

1.8MB
MD5

6cd4fbe12e4a3465c1384284bacffddd
SHA1

9b75b89a0b5e8eba8f97d57e55e152debd890d1b
SHA256

1c62cb49c4b1095d8b5e3bfc3e1c2319ad7271271de3894dfca84bffaf0ccd75
SHA512

131b9a547b21b4f2d71da71ceadf94072bac169b621b3053eac00638b08b56514fab4fe36ef749b19cef1937836385aee7f2feec266e2d9730ae5264abded6ec
SSDEEP

49152:BE19+ApwXk1QE1RzsEQPaxHNGXvYMLprznyDSga9:S93wXmoK+XvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2500	alg.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
4288	fxssvc.exe
3256	elevation_service.exe
1508	elevation_service.exe
5004	maintenanceservice.exe
3548	msdtc.exe
1820	OSE.EXE
3040	PerceptionSimulationService.exe
2208	perfhost.exe
1960	locator.exe
416	SensorDataService.exe
2060	snmptrap.exe
3844	spectrum.exe
1700	ssh-agent.exe
2052	TieringEngineService.exe
3916	AgentService.exe
4440	vds.exe
3260	vssvc.exe
1604	wbengine.exe
1208	WmiApSrv.exe
2308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfa71c4b293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5ff201aa4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc0c751ca4aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f57c11ca4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1082c1ba4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0c0281ca4aeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeAuditPrivilege	4288	fxssvc.exe
Token: SeRestorePrivilege	2052	TieringEngineService.exe
Token: SeManageVolumePrivilege	2052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3916	AgentService.exe
Token: SeBackupPrivilege	3260	vssvc.exe
Token: SeRestorePrivilege	3260	vssvc.exe
Token: SeAuditPrivilege	3260	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: 33	2308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2308	SearchIndexer.exe
Token: SeDebugPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeDebugPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeDebugPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeDebugPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeDebugPrivilege	2216	2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
Token: SeDebugPrivilege	5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1272	2308	SearchIndexer.exe	112
PID 2308 wrote to memory of 1272	2308	SearchIndexer.exe	112
PID 2308 wrote to memory of 1424	2308	SearchIndexer.exe	113
PID 2308 wrote to memory of 1424	2308	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6cd4fbe12e4a3465c1384284bacffddd_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3548

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3844

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1272
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c82420fbc505cd9eab403e934a4d3c1d

SHA1
4004a4027838277bb42b8e192a912e19609cbf4a

SHA256
637b47ec84b3ab3c0dca0b476d401ff8bdb75300fc63c710afc3aad40b09fa61

SHA512
264eb856ae844e78b6fb3c49f6f4ffc1a0c98d6a273d5d2edd0620cddd04f9371aa3ec971f402ce472a96e408bbbbf7faa342a999fe7f58f40e962e075bc4991

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
09e9c0826512ed2049096519d4b6f822

SHA1
256cee4d1d78904013258ea5292de356fba21e9f

SHA256
1cb37016c0894196c58dec587c8ed6d2bb13031aa43f737ac556d3df687d7c8c

SHA512
b697e8be314d1327d34bb56fe296cd0758c7fd33f6ba9e32f506b828d3b80dc185beb108b89e37469b44808c72ef6e069a0fcf9fd13b96b6e324517e527eaca8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
789837b395b1aedc68a7dcfa6c3e1032

SHA1
cd9f9bbb2115563dbc928f42c4f1944dcc51cebf

SHA256
7edd85cdfeeab867785bb38c785eaf164717b92b6de1a189f50c8045d01aadc1

SHA512
658511c008d94a4e808474cae4dbd4aff77cec418649b2bd6bbabf0126f0b1a2b1cfd35f010b195af05fb512eb57f533e408824b257ce52850d00b00aed2b72e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
366ba6db7b926134d865a0c3e428e5ff

SHA1
7c26ec7fc406478da49ebad5dd4477e9b3c7d5d2

SHA256
a4cace58ec25d2ef97b9884034b90625d37c39ae887061a2a7abf543a6ad14c3

SHA512
f720fab5176522e6874b9368aa5cf35b19f00f3f76924a3b093f098c697c7abd58f795a36852a21fd78f1fa7cf67549e798fe686bfdc821d891c5b76da7aff38

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e5b632aba86a1837c14b40767cd47575

SHA1
6361a4043efaf2ce1ba1dd46066f7dab2f8d110d

SHA256
c8a95318ee6f1440c7be007b4c53219f5701e73adea9afa30ea95c12ae76131a

SHA512
436002fa797262df58c4ad2eb43ecf69569d42431022bf0a1b5e13845da9a4ccb9d9321e6df7787dab7036ba3142e93f8691b9a4e1649eeed039ecb8b77e34d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0a6ccfc02a7aaac00bb529d43ae98979

SHA1
ed9c4cee8e8b0e3eb4621a66779fb30707a4f317

SHA256
e6d769ebd67774cd047c44a968063b95fd5a705c311e52375192fdd6de942ed0

SHA512
3334b4b21f8166cc2f0105cf4d774b614ed6c3cf6a7b68610954ead1739cf2d3c1d9c3b39d1bacaa00982bd9e4f64e84b477b9f809bf9080642edf427ce058cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8e088b0ebe4945bf496a1d1066ed2687

SHA1
511f61bcb10bf13c07962b47a97f429704e3b113

SHA256
fb3c9e8c56f813847ed7eef755d0ff1dcd76c98cca5e5723cd5d22e0cf1bf881

SHA512
6aa00c87775ec92ea638e224bdd7ed1698124ded31937030692669c7d8457682cafa43e34b446ac009a4de6957fea4384b134550b5bd6948cf1a80b831fb2283

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d7268e0b8d21a48d266e97e1ccce2bb4

SHA1
1a00d42fd25047dcbef1a8fda2f2c21a0c8cb217

SHA256
4b5f0808a022085b020a985e3e17572e944f849e0089e9ea6682bb4bf18f1811

SHA512
63cab9a9c972058f1e405acbae01c87ab42071b4d25654811648184750f23c4ca16536cb1bacf8a6385768063fe7a00e1de010a5ed1513253fd2e22ee1869d76

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
65f7be7f92b068f5f3666feaa106053f

SHA1
31fbd4886be048c537bd0265f3c7ba758e7edf67

SHA256
1d504c902420321063bccd52574095b69eb3cf49e81b87ca55329b2dddff78a0

SHA512
f270696a7035d392a4970727865224ea9468b63256ec54fd6ffa303cf9fcfa2cac777d26d15c9e25bd6ab34f0a2207be836f161768f94969bbd854c8f0b09902

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
275ea9473a0150b8a9016ab3a3d63556

SHA1
33fa38f0469f890b80a0474d0cfbb45e7d59b30f

SHA256
a288fdaf5cfbd2a830badddb025aa19bc168552f34331c1b0b105db3ad1ab5fa

SHA512
44a96c3087d47f1078eb0143780f339b0aa95b46c5b6a382fc9b881eb4fd0180cad6de7c0a6a7dd7b112efb9e3e0d67f7f0a5ad37c34ac21df6385606ac5359d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ef25820764b96d537cef62d91e62d3dd

SHA1
c0c441717dc1ea991c1a38401f214a30e3197e9a

SHA256
ebd8697828145bc661107bf6b025b06d219ab7451676ec9fef88069860665c98

SHA512
138b81b5d157bf0fd2897f777e426ec98b101197d061072333028e2efa10fab65d083bba12a971f307e823245410f7e21101caa7c3a4f57174c7a9ce01e8eb28

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6813a0dc805a2cc5af2865c3e6c45a1f

SHA1
e4bb57ed74999767f926135844e0218472037483

SHA256
6e3afdf504d4331c312d80350d30f60ed04edafc842331ba9c07b374ed8d3942

SHA512
7f154af8f09647cdd948e32b57c6c969c9786d95b9ab1d7204b7a03a5bb5afb3f4557ce59d3f0816fa4d60e7e5e9e480ea301c84df9016938e5219294ba3c645

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
90bf9e14c3ab2ebc5e97ab75213303b4

SHA1
56e10aaeb6da9f97c470deef007b60b6f1987d59

SHA256
9f09a36a6e36daf3a2043fb496c8f2189f0aa67ad85f47349e8723b4a7affe07

SHA512
345d98780d332aa7b6894908b0a5e2987c4913a58ca1c47286703d21fc5c198680bc456d6e0918399837d84ae22aee3a8bb8b0c31aa34aa2592d392154baf1bc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fa49b9de02530040d810801fdcd31961

SHA1
c801f99e1ea698a165ea52d77068e852db6b9730

SHA256
d3c98575ef6a39ebc5e67cb816c69cfa013a20ee0e3459f01af0d9eca60af945

SHA512
00fe7006108d0d333a53713f958c0c57ef8a22ce8924e28e8af29d4b4820bdc52ca259e66abfef88e14978a45778183ef122180c2a51eade279c698ca8699fb9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e66d2a44f388c7daa4ea911c0453567c

SHA1
6229893cce59e3d1570d51bb12752c41b3f24b35

SHA256
d83fa46b84955bfc924502278cb3159b5c4486e89038bd75d8b45b9d3ee50c42

SHA512
2cb5bd2a838dbc3de0765d83e6aab49a84ad5ceecbd4d12b7eeed422ec92c7cc4bb45a10f43c95d2e03ceecd350b2b27a63142bac4bce16c9cd5d741c8e5001d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f21bf7eb049d8765299d942c75630b00

SHA1
d98831540a8dfa14f1c68a6978d31f971666b4ec

SHA256
eba7c44a982838481a4cfc2cd243e996d8e15934b28b8b0a252ef6820459655c

SHA512
328d3d02bc29c59b616b19f6b5f63366e9d0300c1f4e364e12f0d49483b245f9121097915095877221cbf21fe7293540e898dc5ad4b7e46a5da08042cce638bc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fbac3c26d80609443488d96645ad4d65

SHA1
78ceb3fc9273b3742044b37e15138ca6a105a5d6

SHA256
d03d8217bf0e6f7030f168a368a9013aa3b36e2a468095e2477921e5a70d69d7

SHA512
433badbe672e09c222f6b72c54cc1d4063b0242be0783f4eeb8ec66def60e41e089aab5755b20227720f77200dbd3132345c708db2bd60b2e2e915166f2bfd51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
854f530a1e5a0fe6dc07a8aea26e571a

SHA1
fc405263d7927030a365b5208dff68c6ae38eefe

SHA256
978d9ee059234a133357d0b4ccf6f41e3fab6638bc0d3a9b57e1c3573f6f6b63

SHA512
9e82cfdd29b8d4488ff02c8a20d2a0a51d5593f063b56a7da4b1643969051366358d4b74824203448f1c4a4c83153501be4eb966c1ec97b1749d2594c253e7c1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ffa9e73f958cafbb8735a0216bd2dab9

SHA1
403ef3738856285ed98e0c318a65200da4224d81

SHA256
94905bd87c098e67bdba81e03cdbce880bcfa0397893456780122af716cd8758

SHA512
4e25d2020e3b1edeae583da0309c9714ec09fb99307b0b4e3a5720f71f2604a401e6860ad9305dcb7aae4850a185fb489ed3f3fa9f3f8eca7f8495c32aaac039

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e717231572e7523e38c154f93fd7a127

SHA1
ff87ce982610771de3615e6ee4dc5564054bf927

SHA256
5d1e3863c47ff07ee5f7ef8a89b994df1dca2f07fa4b54ded17a592e9c95eb0a

SHA512
d6465e9ae42b2acd65bb5ac7544dba78727a6ee8d8b890c23a0e1a5d7c115dd1fb18a084aaa190b5da207a453b12a86192b39cf5acd9d23f649515559292d199

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a8fcca054ae818e728ae18eb0a99288c

SHA1
0e35f087ef819b2cf104e8d82b17ebebaa377527

SHA256
8f0c9d68e3a36ec99ed908d53c4dd8d3d8b43d007bd9e62f238bc26e5be5e546

SHA512
1ef89873465536a441589fb6f88a44b9a2ba9724f147f630e39beed12e2112981821715ac9498bb24326e0822d8017c5e1200b0a3d270c1a7572c4e845984bf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8580dbc57d099c9977132d585af69350

SHA1
d99dcf1325c4750c91c80123dec2806e301976b1

SHA256
3b4078b66f3e9d753374bee19b16247a362d959543f5febcdb4a0ab5b0949198

SHA512
19376bf5f063338f9addecfb03674f74257d24045bf0d1feb5b5274d416bb51f80aa1c5bbfe5db0334f9534257ccc20fcdc41ce4add552835d80c592107865f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a4dab1e580ec05a5e94bf6fa2febf502

SHA1
2d57bb48e7be8a9216b1f186748e5ceb25989fff

SHA256
479521f2988766f1cf039e90f24f10e29cffda27861d3ee46dface0983398cc5

SHA512
4d6f2ec0b4373ea5bed8f2896ed7734d617c5dafb246742bb918015fdef1eaa101ad923c849be4a3a3b37d0aa38b020c664236363b07ba31b5bf58be0073ca7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
33b1f361f5cfb20d8363967af738566b

SHA1
0323f267f306e126d88089ccfd74b0482f0948a5

SHA256
c75a5a8b554ad5a060e0c58cd1eab44e91401c7e78df79b8be37f15e55abe8ce

SHA512
b2c8fe9de481d002c55abcc3f82ef4afaac68c410df82d1f894994844e860849af74a36736b7d72bdae7ceaa1d92bb826cf0835e898ff6b623106b9666661459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
75f4b700fdc7c647846f18afc8936627

SHA1
c449f7ecd63f0ab57b122f1cb554efbb238a4f8a

SHA256
5fe62bd9d089c06bc21c69bd347ea9c4d05c36c5958f32ea35ecb27363214073

SHA512
d3895381c3cf08c416c855497a968014c3a859933af4c7f6c51202b93e773a815b4871177b82c06f654d1f4825fc9b6369e03e3addcdbf83b971773c251eb242

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4ba213deb545ea13d7c63b61bcd6358d

SHA1
76d8acb41e514ea1304d6cd799230b36a630f00c

SHA256
a9f57e21f458b4bb6033927c5051e80dfbecd5800dd86340a36075902840c9df

SHA512
c5430e5bcb9aa93f19bd04f91f0d9f80cd470ad2ba092f422e3021656c9306599bc6c63fcb38b237f54127f9ac1c47ee1d4bd7aad4f8c520145f2bc9659f763a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a15c8c9949b1e7d1962679277e9627aa

SHA1
e50c41767829d0e7557344425fe921780ca5cb2e

SHA256
9931631a01fd4dd7f24a15081203dcc4c8656c18342402c12891dde70ce19b91

SHA512
f7702f371526f8c5c13c114fc495a9950164088fb75d7d15519c8af40ba096554ac78f023ad3baa848367cb5c4dc36b19816eb64d2244f22eb64ab47deb1d10c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2e7a2ffd0e434bc82e808f5ab523629c

SHA1
d21d08a848386d6c5f94013a63fd524c1f79a9d1

SHA256
bd968b90c129e102d6435e88f049a03ebdad52be0e5a7317b5f091a91eee3009

SHA512
865f76efe847db5e53e9df013e5730cfaa77eb8bb450f8dab19e383373627d9937c4cdc4738c90b02f317f5eeb66c0a328f701e3bec306362ecb5cedcbf82db6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
da5170f71364a740b4feff98b8e668ae

SHA1
29697c275368f2e0df4c58acee363bc59aaf9f51

SHA256
6d514e7dd0b3fa3f63a840425941eba07bfc6e76a66994099519c1ae2cfce5bd

SHA512
c0e0d4da2ca206e46353ee634920ed309e32c86005e68f5174e3e32ac06bc41987eb86089e446d320b6f4e2fc7f1c5a52f5ece8a22f31ae25c405582013a0c16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e7952f3a0713ea1170b25cc156f6746e

SHA1
96f942c769422554e3c7063b26acd56bf2ff1170

SHA256
c68a0220428735ab8f81394579096b9f074b36f3b72eb72632f6206eb7de7f7c

SHA512
249347a8df51f2e48a5da13ee0e206ed3c4ecfaee1caa18ef5c3a7e8f6477cb4cfc37fc7b3ae027e60f8d246c930c5dbc4fd4d85ff2a4ccfe19bdb33f3e0edb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
78c0e522bee0ec15fe6fb266f67f7509

SHA1
403ba25182cb428060f40a1b24eb81701fdf08fa

SHA256
562843a9c9650dcf6ccce8d27b3c2ce8ecf9e229d3afcc1a876d4d5354a38d05

SHA512
b456adc0287557654ab1deb108221f0e2362f19cd16d6c692c26b8242582316073ce8d806ebda9481bb212eec967b8cb47a5acb50154c1451bff7599978014f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
692ed775a3cd427a66a238781db6764b

SHA1
92b21c88441f97b152a444849ccb8fe918e2a5ba

SHA256
5cae3272da4b92800d66ccab2a3f983782af78671633ba91ec93a338b235751e

SHA512
da638bbef06239dbcef8c5edeb85eb8a68aa22cb6ff6cf69c7a9765187b87181ec8564189beb0e854cff74f15ceb14bbd3adbf24227b6bccc6382187fddd3b43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b980568e1760d92a64f51c48f36098dd

SHA1
97c1d37162f15ed30a2ff91e531692a6c53b010d

SHA256
5b01b613c9eec8e91583ccfb5e9f3c323ecb6fc9b42b06c1e5e7aef7863c17b4

SHA512
76f0991af1e0c93f2ea96d21138267c250b542b0e561f489855bab74088e84a368f2dbe09a1c176c06171fab024f01c203f8317e2ca568f3a308683f7bb1ae10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c6a88c3fd0e9b57d0f0e0929563922d5

SHA1
3b9c703226ac7ea4ed462cb79e5804be88b726c7

SHA256
f80a171cd4c5c11013bd707b639b52340f53079cd4c0887b71e3dda2f487960b

SHA512
b05aa3ffc389130a6d3bcbed7aca33d07c9326d43e6fb901e297c33fe249aa63dafc7dae3dca92909e767ea6a0cd87b9ffbab265995f46afd2cfd6c6377fe144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3e52b62985f88406297fa4d2043d6713

SHA1
2b56a03ff9da5f8b34b8d8316b0077918c447f33

SHA256
d83c6f14cf9198bfec6c7874e366c83369991965643f1ec90b4c2f783b9b70e6

SHA512
22dcdaf9f8d4dced15d1b163b69ec56033bc4a60b578921242924d887d483fb20ea06f54341624a80a332756d1b1c8248adf4c7d29e2d272d9e3fc66a85876fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
28d0fc8fd46164312607432337b96828

SHA1
c3f142304347cc828c60ffe3a85fb79fc8548420

SHA256
206b04e1b1ad72dc812c06442d8534c1188336f2d3b63a6f2c3faafd6458d215

SHA512
0bad05e23bbafd869484533b8e72382a79ac5feed96c3a4d121afbbff7d1cd5fe446a317d597c6481dfaa87e1e885f843c34698295d1e08ab8783707c610ead2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
583454775b452e460e6ad57c646bee8f

SHA1
aa33b75fa619625b08f4689b4b40b32dadf4c482

SHA256
c996520963333c8044cb482f0c9b5dd85ac9880c465274a7eefe0ad80d149bbc

SHA512
7f407a39b537328aa519d2d340fb123b8f0b8392d63e4e5ac904a0301a838ece03879b9ed46373e1fb11aa7d259bbdf1ef1b18485c3fc6dc60c4ada3cd83cf91

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
56822b46df52651c59e1ccbc91921ba0

SHA1
7b5cbd0cf08c628a3bc1291e2f89992a79937a22

SHA256
c89f429669ca854f3d4407f3b236a99510f72845a9a8949862724ae5b0e938eb

SHA512
b10cc71b43a16271cbc123a268bb8e72635913df8711600b6ba6a4460cc68f259d0205a6c7dc912a50f28377a09169e4681717480e18bfbc3ae9d18bee84724b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
79046af0ecd339c46511823329fe5a4a

SHA1
280f615ad4aa0a2fcd4134988b768d52b06f4aa2

SHA256
172bc9e43fc8103125539758a7bfa876d38bd6d1c622fbd7bd2fb905fc97d2dc

SHA512
2d6c6ebe74ecf31286fa170fcc5167530a84155ab1a6e32da4a2a2fd46cb1e180ddf5f8dfc7d81d103b6605e543faba231d50d53f0a7e9f4298aefbdf09c355c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
03ec0c1af7c4c10ff96840ce8b7f3a15

SHA1
693755ee994a6995a2885839d36e8682a7f35a0f

SHA256
48e1d9009965cc27c458ba6515c6dcd24f9585f6ae546b8c54fd8902a5995e11

SHA512
02a1904c338ab06e1fa0e06769670920db1230f3b0cc15657c55ac7b9196ab00a96e6a834139719fe4af09f4f1c159f476959f26dd67221fc92ab31cbfe40356

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
76a933608212b12a371761da50507eeb

SHA1
0f01168dfbe7638fc386a925f2afce7004fd15bb

SHA256
67d59c3d8d8e9cf82a22526f869160511a35bfbc87a8403ef1d09ccb217bfc50

SHA512
3f7afc805e67305511ca569cb193b69c972a2d26afc16be955049b60edff7392a22090ec73bd87c7ac6236723abc6ddff4598da0061796b606576c6782982be0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ec29f244e06c039eb59c4828f62b3dd6

SHA1
ba00309fa27401a0609e733398615295d5e92c20

SHA256
f230c719cbecf2ed305af00ddbdcf4c936fd1d95210ae6671fa8aa0d03e4c720

SHA512
bd3f1ef05422e5f2171fde2fe30583f19d4ba85a5352b529ead95065f8531500a958e1307fc6b3403c55846089fef57226dac673c0e0da264dd0e8500b265a99

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
752ee2017cc4308c3529cc5f3c8e6f21

SHA1
29fb3ed1173c8b858e3a65622759a51d17ad1465

SHA256
3fda92bc40b4caca7aa938d565edcd4be46d1b17f78f3cf2766dea39cf7c329c

SHA512
aac2b13062a7fbab335256ea57387887d06fc4f0f9ebfc97a98a6369a8bc23ca86820edb90393265e06c35987df194fdfbce6c5f2f62eeb6ec2325d5d3916348

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ca578cce535aaf391c53bd53c1417485

SHA1
f9ab4012eb6c402e0a418ac43522557e5a5c3287

SHA256
9fe8b5a2d3fa5cea480af3f3fdac2694716cdf1ef4455a544e84d92cbec958a6

SHA512
6b4f954c3e2dafb8ac50609fe77dd0703e0f83761b4439de85a13f1cc9c930c4c3b067a7953bc9d4c6636f7b0d95f76edaba47f6efb142b58769097e480ab5e8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7811643456c9e101928f2b98073b6ea1

SHA1
87c908904857faf0f762464f051d260e48d49c95

SHA256
05bef4dcee4257fd846b7244424d215cc326df8fea7c966fafc9f4595a935df1

SHA512
7b119c3b4f6a1cc5c471d8d2083e1a47269d37f94a56644884c0935166642950d1a17ac510e40f38ed0d77bd52e2ddeb62fd4eb5128528ca819648aa02dc8eb1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
01871a6e56a0b7f675c01efd5cb200c9

SHA1
045a898fd300beb8c8ffc87093912dee75b0d4c7

SHA256
281b342e246c5413233d01a3da0da67ac003884c3d01e542ba7f983e37b5d808

SHA512
412d2f78a6a76b24edfdf662c9e9021dd53a1390b73e17be0e19a5ce61736ba8e97068e74d66ae1670d97420f6d4a56fb8aa4c28b587d8b6da4579144e3f6663

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c1edfbb9096fcfe4b319da6e962cf66a

SHA1
17a7dff6910f8daa164ddd306d046e2d677033d9

SHA256
2838d75d07a6fc0269146543528f5d7a7dd9390e592f1101a6770e5d532c6ce0

SHA512
b7b5080f6e81d8cd498dc1bcfaa055c5e2fbaf02b36b965c37403d6a219d5ed74c773d42632023f2c202d88436c1b00157114a4739e93209aab3c09c3fe2e41d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
88e31f4de19368082355530cde361ca6

SHA1
8679ddd5f9c55b9142ae0cc51d0af7b75ea0f4b8

SHA256
51d9a9949422b82e35d74432805d8f90c08a9b2328ac942bb33b2991087fca6d

SHA512
e33c71d96647da2448bd41cf795d59d6937b5f2bba8e1211072465a1dcceb108a0be0f45ba06998c2cab2114df4e1af261d5655928fea32d4a19512cd37a2326

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d434a7813c743180535320246826f165

SHA1
91b03b3a652e3b131a42646c707de699f6f5a6e1

SHA256
d50b92b84ab4ff121ced23d9ca4f8b66fe0cb9a7b95938aa7d8a5088c318252e

SHA512
46d318da4b39781191e012166bff4809ba8bb67f08e96a86ee7f7d8e51951a318d81f9f438ac56f687bc530425469bdc51905fd9ad6e5644bf12b6344d3ccd0f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49fcce8ff11de44db3d7bc084dc9f306

SHA1
55f86122fa2e7b8b0caef8e47921f85564112db7

SHA256
652cd9b2a73479c97bd0a0bca58631ec00c3037d788d9de547ad0c7f1c070c31

SHA512
7b5f99daf7bba7aa64d4480fde2c43518ea2b1d217137965d04e0b038c1d0291bf0c855701b0e945665e84cdf2750a0cd3894f1486e91a6b0fd695abb6f690c3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9b20f1dc3b80da4d08cb3b063dd9a0da

SHA1
b90b4dadb15b115675d1190a7fbcf427c1333c74

SHA256
f472c5c9373482726a98238aa443311ecaaa50c0d995a95002747229828cd1f4

SHA512
959ec697eb0cf20df552d767f586e2b76f07cd62091ad571657371a56916c037a22e4751a6f6f41f577d0e02f799c9ac28684d4854ac7d3e8f6ff78df3115d38

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
51d620f68d6fc347c0cfdf133b95f206

SHA1
a0fde4f8e7aa5668ed9dc016ac3f8aec981853e5

SHA256
544618c91aef36d138f498f16426dcab6dd391afa829394edb1165225f2772ae

SHA512
9d9f8db71c06bc1e4c7c1740ad459d6f043ffc16f1659f76b71d57e6b0ce0c929a91e74283826a2d8dce344c7715bcb3850fc96baaf3fc64e17b5b67b6fb578d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4afe2b76e91284af6156c0933f6f48b9

SHA1
48fda9bb19a132a27f3d9e66310189bd0572163b

SHA256
fba9793249c2e59b1fc58f7b39caea24b1907aacd33f65fc82d8ec31c1f64adb

SHA512
2147e157c7235864e5ff82230e44d0bb05bca635de1dd6b9fcf72c7b8083b2b6ab042391f017397403b99db1a1672cc0c051184efbc69a5e150cc1b4cde6bf3f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3657e9078fffd0d67b3ca29ef5f40025

SHA1
6e66091c9bd516189747345710926c83f0133355

SHA256
4f5929b398ae11ae2fc4ca0b966b6aab2231653c6bc09b2c2acd33b9b9cb614c

SHA512
146cb74ef0c618473fb55480822d04223dfb471be4ef856e63f96f828a4e01ab3397a851cc0718d2337422b049f5af34aa697d1be8476dfc13da56cc5e128bd2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b890f827bfe4f192fd675bfafeae5e0b

SHA1
8514c79a45ab0a99e1e60945307163cad986562f

SHA256
18116c47945d5f3bb3fe6d05fc2c43a11eef9f92bea3767f86aa326efc274b35

SHA512
b5a4a8a3962aba7cdd5bf6d6c7a869d9da538da22372e5cb72e173ed86191310bc7da8b707ef7b089a4269b75e74d126e74bf1c14bde5073588061f74230d9fc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
49128b97589ae52117d5f0799a7d62be

SHA1
79ded79c56f2ee85a754ad417ddb5d01e0656ab7

SHA256
56529ab46674ab6737751ff0fbcc8c4b9e6de32d7ca229948cc30b05079d5870

SHA512
0de8ee533e01ae48b024baf36aa0aef698ff08b38cb0ef7e1a97e51b420951754e6ff181739c4de3493058c9f13b7bab1e2524696bd08ed0806c395ca3c87347

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bcd4b50c73b8288558082eefab0bab82

SHA1
52fb6c683b523846161bc6d39e11dbe970fd1522

SHA256
37994cdf520344f3aa24cd89c528673f4269c79d49a493b38e3b19fa3ea087d9

SHA512
896566bfb662845f7c1258db6f5e7567e84da719628c2697a87a114c9c70f0b81da0d2b91e79e69c81866a6854ba378e072bd8312fbe6c22afd8ced348d8f773

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c2ab55bc4340e15984468ce70032a79c

SHA1
48c1b009cefa79e413d374ee338f7504c3818f7b

SHA256
50fca32bc4b64da43fca30a80abb0fb68d40ab33963b54e6ec6df66b102d26a6

SHA512
02103166c4bacb70b826d02a54f7d49fd3e1dde4e527a25a7ccbac7c907b98a5beb246bf194a984fdb4d7047312f2ab9bae3ee7bc2ae812c02a9048823516c90

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d9becc0d79949740bf3b6b8cfe452357

SHA1
196fde832c71d1b86195ddb817f5a8232195235c

SHA256
315211895936785139a49dd0d1741b76b2a618430fa831828eee2a2cf516e075

SHA512
9c3528058d60ae744d7856a0c497eeb66c6219131521d70ae3ed3880257e0f74e8cb1e41d502f703ad6bdee080bf80412133686dc518f128ff420971f9ba4bbb

Download Submit
memory/416-358-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/416-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1208-400-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1208-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1508-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1508-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1508-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1508-392-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1604-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1700-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1820-80-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1820-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1820-74-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1820-396-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1960-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2052-398-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2052-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2060-141-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2208-103-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2208-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2208-98-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2216-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2216-8-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2216-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2216-135-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2308-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2308-401-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2500-318-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2500-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3040-136-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3040-85-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3040-91-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3256-32-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3256-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3256-391-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3256-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3260-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3260-399-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3548-393-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3548-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3844-397-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3844-142-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3916-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4288-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5004-61-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5004-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-66-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5004-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-55-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5020-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5020-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5020-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download