b69c20bfe8c30c87ed8d921854abe86a999de01c16a39a5ab44bf26d311431e8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Size

1.3MB
MD5

742121073bfc190685455102ec49ccb7
SHA1

7a5aa1a72c7bf2f0aa97aa1c5aacca49a23a1f52
SHA256

b69c20bfe8c30c87ed8d921854abe86a999de01c16a39a5ab44bf26d311431e8
SHA512

6a9badd05b6c6dc02e0cc63213bb75abe50ecdd25bad475acc11c06ce4a7054e2241e23ef83b4d05ebed8fd1dcb401fd2c67346413e8eaa8978ea80e6a229196
SSDEEP

12288:1tOw6BaXMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:/6B7SkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4764	alg.exe
4936	DiagnosticsHub.StandardCollector.Service.exe
1892	fxssvc.exe
2292	elevation_service.exe
5096	elevation_service.exe
4472	maintenanceservice.exe
4176	msdtc.exe
4848	OSE.EXE
1680	PerceptionSimulationService.exe
1260	perfhost.exe
3976	locator.exe
3268	SensorDataService.exe
1800	snmptrap.exe
4728	spectrum.exe
536	ssh-agent.exe
3668	TieringEngineService.exe
4492	AgentService.exe
948	vds.exe
3108	vssvc.exe
4388	wbengine.exe
3320	WmiApSrv.exe
1420	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exealg.exe2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a46c0103e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\OptimizeApprove.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exeperfhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6c58d59f83bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d0ff959f83bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005f49f5af83bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb04d25af83bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e3fec5af83bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd64125bf83bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028f2be5af83bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001269b55af83bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faa06759f83bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000524af459f83bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe

pid	process
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeAuditPrivilege	1892	fxssvc.exe
Token: SeRestorePrivilege	3668	TieringEngineService.exe
Token: SeManageVolumePrivilege	3668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4492	AgentService.exe
Token: SeBackupPrivilege	3108	vssvc.exe
Token: SeRestorePrivilege	3108	vssvc.exe
Token: SeAuditPrivilege	3108	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	1420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeDebugPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeDebugPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeDebugPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeDebugPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeDebugPrivilege	1512	2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
Token: SeDebugPrivilege	4764	alg.exe
Token: SeDebugPrivilege	4764	alg.exe
Token: SeDebugPrivilege	4764	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1420 wrote to memory of 548	1420	SearchIndexer.exe	SearchProtocolHost.exe
PID 1420 wrote to memory of 548	1420	SearchIndexer.exe	SearchProtocolHost.exe
PID 1420 wrote to memory of 2920	1420	SearchIndexer.exe	SearchFilterHost.exe
PID 1420 wrote to memory of 2920	1420	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_742121073bfc190685455102ec49ccb7_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3268

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4728

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a5e99a69bf214704c3bb5bc276003cc3

SHA1
6cc95baf45c4dad7b6013a5d516d23634cdb2a69

SHA256
58996cd1c0b4cb46a17848793e5ae539ee8bb89998e9c91268766ec698f1ddcb

SHA512
1fcbfd4008a9009dc721c16ac342c17ce6487d2830c66cd897e779af5a347cda29adc3bc544693270f78cc2b5cdce230616d7cf99505fefec12b5abcb73dd209

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
57b799b6fb8bef464f6ba948b9ead6c3

SHA1
861b54db08f8db80c65da630fa3e19b67c9fde97

SHA256
a824e4bcc5a11cd675fda73c638e1bf769dd01c8f0094a9ba5e5473d3b845542

SHA512
a7ea38d248f2820c4081cf71854a0f499d662d0fe79fee22e227637674dcb6346b411eb8be342d38584cb82c05a154c98afdd8b77b05a39ba7190fc430dcf48f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ec5e821869ecb7addb2690f08e43a437

SHA1
4005ff29273741406856c2a28de0d28ab2f8ecc2

SHA256
6d56a1e85924a7786d11c054c729e57055b9ecbbaec13bb653f58de2d96d96a5

SHA512
b2f0d7c583a437bd749bbfe8eb50a0a09f235c38b80cf5c7392cf8efe3163fdab9214e76a8d8405ae420f70623af448705cc4ac704ebdbf54af461a7f68655bf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f222af941d6ba557b5a457becc65d0a8

SHA1
88a39dc45fdbe71d689edf932bc62a135924ae46

SHA256
803a1ea50509b88cdb308bae7b66390a05bab4da2c86de43f9389130fed78396

SHA512
6234192dc5e31b928922d4c3ca2bf68b3b999c66733ab17bf438ddcd7ff239d2bdf62a0fb4cc4adad80c371f7f9a8a98f054188290e418f2c1f5e9154582d567

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eddc1c529f5c2ff6fae36b1a439ab900

SHA1
8f41b68ace07ad738008991271facb37df88d06a

SHA256
b6cdc486c4bd274129d77cbfa9902cfc6c1c80d6f33c3286ef028082e6327b1e

SHA512
3092980373febdc8a6263501ffbf0bfe93f9faff3a07c584bb435bbd0af34450f5d52e5370d980239900892a47ff4dd0b11d5af84ead4b210932c88c637efdfb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b90a7f85f6b26091a00395a6ddd86339

SHA1
754e51074e9a322eea9397064591e319f0a4d21a

SHA256
996fb21d7598684fa57cce3e2a91e1ac3631ea2c3f872230bbef6e24340bc677

SHA512
75a55869d2a1ee27cdf869b711a87c94737579c57cc9529ed08b1ce13d1440306efbcb845bec11eb2c8e36c5a13c2de0d6b41f7f7762fe11ad6780e18b1cf1f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1dc7305eb1fb9f8542e54aea845da146

SHA1
917a6d26c9c915b5450aaa0f2e3152a99831e1ef

SHA256
8765033f0f34641fe1b510614d88fff85cb3e54f7a6de5903497790eb82f62c0

SHA512
f32d592b8662ce448bb57972f810857c7949bcac67d2c642c66610b33e5548d63ed6df1173fbf6d3f13c08383a606a3b1c9593d02b1f13e6c078aaf57b343c28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9a763a7906efa9891b76064ef9913386

SHA1
41d9471b39cd0b6afb50e22545ba67a7f5fecd7b

SHA256
bc4f1d45d18cc957092f8be6ad7900f861a52222f32c54879690d8683b198534

SHA512
d7fbb69ec5c10114e92472c7a428603e64cfebce28a1e33b4cf06e25d3ef748ca1d0f2983cd55f4d3215f4195db7f196ccccf2afa8942b590dbde3fa3053ed77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f097a63bb4b476e31ea74dad075a6dcb

SHA1
75b6cfb0f92c0edafed5844f8e650d39e3c6f779

SHA256
1905e422e006c9a0a7518fd21c94f76ffd7203b7c2c8892c0a21fc4d206272c7

SHA512
c9f5e566cc7457170f35b58ab4fa33e0178594d0fe1d2a8875eec1d045845b8f8b5a57546e4f3a0927c72332bed908079d8f31229b9a45e37919cc36b333c1d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
82b141c261c70febe6a814a38c216d34

SHA1
3eaf12f9a35e237531919ad73d521214e158c9fa

SHA256
30270471c4147a5a6ce67b4707927bc24f5654be9599264a2601718d294e5339

SHA512
2605395fc6c7a2aea905d18a741795469c42d5859317afac977773f06185631a3d2bde461db81681242afd741344717b38a554062545e1b5d006b80ef8a9fbfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c058baf5c637928d690a05059e091ee2

SHA1
8fd8decb8bbbd745d6b6578d7931f02713474e46

SHA256
46d458e24374c4f9a49abce2908b33e219dcffdce2f8c8e7a46da9dc4f4b6a19

SHA512
3f755cb573af6ef84ae02332a5ce95170ad1ee8fe564de22ce28ee55d081cc89f2202976241845018f26ea592eb684c12be5f7840a1c7cdd5729389c32032754

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d11bc6aa1e662db76aad0958032c7e23

SHA1
8b0425243a0c2806afae630b73fcfeb332923783

SHA256
d98f7e24a88a1d7cbc32383d344c76486513175bcb33012c67b24867e154c6dc

SHA512
bf7d23a2f67f75ca0c22574243c221152d4293fa167a600f8e4c3037cfce1d8468fe34917a4cfac4012c9bb744b03268c0f9260572978a0a864a786e16aafebb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
307e8f5ab93a3eddc32d017a4f3999ae

SHA1
839418734ca3efd3220944dc18363bcc7eb0e01e

SHA256
c4cb81fe421c96b1e12081a65380755bc6b393af9e97daa008100842a4e980f1

SHA512
b5cb0bc268d16634a330433d3b12795b8f2b475ff4a063bc484ea76348f0b352e207c24eaca95037d30191fc88fcac2623ba5c57d7823172ab4547d8e4502144

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
624c10366c38837f9091c9babb27b668

SHA1
e5194ebdbca84d7eceac0cba2dd60a54d43fbc6c

SHA256
8874c941dfbb7498fa1ab2ca9897513e6fa6a17a2258df04e1a1fdf9760dc0de

SHA512
d8727317f9b72450dac581b1d44eed7d73fbb9a213332659b769100c8f0f9ffdfab739a5d24eaf19ac04b28138b10a9709a13f80afe24a47b97ffa558ae9abb5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
eb89dc074bf274776b93bcdb61c8e865

SHA1
8972af37af4c120eacb2453c1b8b83ed1eb1275e

SHA256
d9392dace2934dba4440d52710f9928502e4930a50cb93f4d6dbc3f43a90c196

SHA512
c2aea78fda06fd2d3b29f27052e7558653f862ab5715e2946fcb73543290ccdf8ac2ad3f6d210eeb28715e6a53004efecf09bf28a454c31a6c6511f0c204cdb4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0c09baf7851388cc23ccae5d05a890d0

SHA1
2676ff70e6254cab6223f1a25ccdd7b63e6f5b39

SHA256
36f4a69a2ebc86c87051eb40760a1c09ebc4dc446ff732413802575aca052740

SHA512
802d1fd3bd8148e10edce71318bc7d9761cbcbb1d6c8ef094544ed80a8bdf4d5a13bc00a629ff4b1d8e3f73541d61addd618ba04d33384d6622c3967abd351e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
832acf31046ea04b5bc31daca9616d6a

SHA1
9ef1361118aa9b5b9e449dd8573409702ee4c301

SHA256
a3236eaca89eb558ee44d42e17a4a319937f161648be85496473f10ae4f1a501

SHA512
11e01966a281d931becd19b4de8c1f80f6a8ceaa691af9af3ebab18b7c53c44598858b4f94c12bb1b291ae559a91e2a050f31d71fee8a9639a44c1a4deb4628f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
aace41af69b85a3357a5f989bd0ecad5

SHA1
e487fb77a924850b1d1f3aa65dc201781eecdffb

SHA256
741d58ec81554f1c42cccc7034d508ddc77262bfc55e8b9e5a9c65d1ff68a264

SHA512
b00a10ec25d9a4c6257404aeb3d6b529176de14a5d59cf79bd1cb5443635830ef39f6094c39dcb3c9804bc522831169e0b1d258b4ebba53251510741171277db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
613cb78ef0ca41e49f9066ca6d8d9d6c

SHA1
c82d417e085961dfbb650a6c98af76913659a4a1

SHA256
df65d90f35521c4df36e59e4a78d15eb121c5feababb97c8f40d9dc8e788baab

SHA512
cb069b91bdf213cce6b39a8087586743c948703a401fa8d2960b6956094fa87ba95ed9e5256c2af795e735731a037bab702ae2098564ab7dc9a81bb3abdc33dc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1ab8e726918dd0dcf5e8d821446d48cb

SHA1
93773b6f601682804f8f4dae4ea4888ca5d34c5d

SHA256
26ca961fb0cb1fbbf9c35257d8f6dcb017b6d95ae8866a41cc360b4e3eb896da

SHA512
9af33c2f1e3e5f40e28ea0919117399a02cdffcbc87d22a868a837450f7be71dc6b8a7bf7615f80a425f3f5c1df0b181bdfd61c9a5a4e54a73604d0480678fa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b59bdea1d089b5b400e2fc6bea23a2f4

SHA1
2e911f5ef72d8a410d1f10a98e3d9912b1ceebb9

SHA256
fe109a287025a1699c5cc0622a52f961bd9b0471ada2da8823d6f8e4683bb042

SHA512
fbaac6a8f80d584b09eb92c5410823bb52e758e1547dde702f43a16111f49ab6c1f1a099ba677ec196938ede2359755a1304a59e50043caf11b84371764b1107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c898a1144755a95c55ea4916735bf54c

SHA1
f4d8aafd62491a0de34608e6f9064c1e9b893800

SHA256
005c613f454c1eb7620f2c6bf47e0edb92adab7b9bfe59125fc576fd808bf79b

SHA512
c63143e0fe205e7339ae52ad8778efe4f88ed4c2bc23ecb80c5ae96997e707c97272591df326925b762782c699ce0c0646854709e0924db4419af833af728683

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2d8a02c1264fda5c57e24682ffbca21b

SHA1
f895caab6fdfee7c02ca8546e1a49eca98951277

SHA256
ef5646e2fb4de128fda5ffcee141c7b4b4fad4188132575ee769cef21ea7ee2c

SHA512
f84b8a33fe4bc9ed5da6bb37bacf6cdeee4828492c22fe81aa0b05fed0b04ce5093333af2cef487aa64c1244091d2470c7d310b44a124b95ccd647661628309c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5534ab879e3e1e8b00dd359b81dc6f94

SHA1
360cecbe419318ddf0d5050d48c2a13342b65236

SHA256
26b815559c9b890b03526a8de9ce999a0371ce73b1bb96e1faeb37c5d6fcd6ac

SHA512
70d9a1932cdd648263da55658645ec911573904cdb3138e434fb9b0722cd821c46dc604570a2f1f3ac75a5de2048c4077f284338b5b525eb219fca55214bf54c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
856948715261a2c295a57bb3572d014e

SHA1
b5b1e928d4380657c80530bc3cf0f7dccb95b7ee

SHA256
8821c9b015ece4ba1d6e2c20518cb23beaea6c040038187a041b155348ce7e6a

SHA512
b3bd76089a6903480b452d62499504889cc7ed81548443a79eba1225227fee7a6c4096f0ad53d3cc4585343230d825f382f51e986f3f40c2c77a58c794b3e59e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d4147951b99b29ca16416fb51c9db19d

SHA1
e322f9a7fb627742f5cedcfd2349f18fac3285b9

SHA256
810b0930bdca6cc53711c6f71b387ed9cc261c293e6cec74b8433cadef052c5c

SHA512
521f0e7016b7494473bc2afc5bafc420d7161d80b022bffbccfd0185ea64d334e6c926ee245d5d9cab5b5c7d330d6d973231d260fd15c8e352b22b060eeb8ff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
450d55757aa6c908eb9a82ae5e3496e0

SHA1
a6ce26fa2172b7a883edd59323221704b2f8b6ea

SHA256
f8935045098f7eb866a5423bcf294b2af05ef1e159d01e542dce68f21f1804f7

SHA512
1d346dde88298c301b659f0a10c399190f36e609d18a6d4084515f17105e414689b360df33ce2b1c8757622f2888bc0a0f8049e2d82c64f7f0ec7a1c16ae18de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
78f118e27c3f8483e368e58b4b2875e4

SHA1
99ff2c8265d95f1daa201523daf94766147c5200

SHA256
0f2a5eeee13527df02b65f9ed92e6cf7490866db9ac0a7fc8c482f4e6cefce20

SHA512
97a5ef27e982d200f02685252f2c28f8e4df771231e9f18d860118a67089560d4b1c476c4aa1b7cb37dea132cb8257a2bc3becade0dfdafb6029cccd2840729e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f708b2bb18480fa2e07d0608a518bc62

SHA1
7210e1eb81b8e49fa5428c77268822be2981ff4b

SHA256
58aed49d3db18c8785213a5ab598e9d391094520c403c187f00659bcd236faf4

SHA512
01ba74376624b02b1d22aef25d098e89e073425e279f03df686b131192c89cbd09e20286b20e5c81112e323912471aac029793242cb4d4f68c30ce36526f5f55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
69a2cdf20483cf38d57788729bad8916

SHA1
a9af6d06cb81c2964299fd0d1840d27f30b0074b

SHA256
cfac2fb2dbef6357bae878e6138cbc601d8a7195476dfb615a63caf1e229f90f

SHA512
469b56eb44f8d77e05dc7c0a90b02e6c8473759f867f4f48349e1eaccc6c366fe5d43f7db856602558088f888b87f80ade787bca0c87b67819b41869261d8f06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9ad9df5abce765bccfc3c03a4f655d79

SHA1
0f310fc109f7a3338de717edf95429bb74416a0b

SHA256
ce66be76159643dc5d384db0a4094b44203a80e6c767bc7adc4e14511d8faad1

SHA512
4c6bd4ae229b3da06b1398bcfb8a7288f8f9c7bc745551a10dfe65b5acd6571a19aeb7e19d879042bc37de5a722f9a5fc3490e159c76990bacfc25b4850860cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6cbdc532a1e266699fd3044a94f856b2

SHA1
9ebe7bb541d49756338f6d6fead02f2eb72d9daa

SHA256
77cef8e465d4038e0542f0155c6e40bb0a825c09bf4999967db4a0175eaa3134

SHA512
dbc1efef002347effc5e22fff63f9434e9176a0e7676583dc70899e103ead4df76d43d2f1e906135d2003cc616e0d02cd39b1f2afe45c7eb15b4fdbcd84d279d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e20fed0fd4293bf59fa56ca4979dd6a5

SHA1
fe84d3bc9917515f768a93c6057add9a043d76ae

SHA256
0851b494a704c501aca3c677b3aed76e64fad5cea2c3b63e24b433e95c82c16b

SHA512
344b151805d12d83a1b3369712070b0a65a5f2e01f27de7bc0577d996666fd61930eb17c4a7447053d589aa10763ffebbed980eb13dfb64247c44df0cbd82b72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f57ec3ec790cc9030820308cf0188216

SHA1
f02c4aaa97a555bc636ee65974afbb852d0d7046

SHA256
062ef230e2f77108d5c64f3edd66a1693fca87cd89bd2e5432385b4e5ae67a0a

SHA512
dec0440ca966b23b7a86866d1ea7d8579c313f572408aeffbfb41b2d7a65abd7da9bf1607954274c23252f8cb8c57d454ebfce949f15f11c97cf49df43c9c0e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
ec332fb3aea9f1066713a3783e055407

SHA1
cdc83c421df67a95b76c9eac4e6ae68127a739f2

SHA256
7863922e2f9c71ce41acb363fff23a02c14baf5f84b672527cad1a607c77e606

SHA512
e45e2b3f071e80ac4d7a0c536e51bcc81da8944dbdceb50358c5deb12c42aa593c9f5542cd181d10828bdded9ee5259e00f0ccd08e5711c13a9a1c1f5333ec6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d6765ef3552a96692bd18d524ace2894

SHA1
3a4af63d8dd5ed7da5a0cd53824d7b5086b04efc

SHA256
22694df3c45afa8d4f77440dbc27da0703fb5a4abc7679cab47665e3e0da1296

SHA512
744a1128010a0b50f7b1dd9e5c22d0dd0419bc8acb090c654d1ee1addfa5069efc8e7e88966dec676362509966b4068535502898b79f99bef83b02cd0c513aec

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b69569eab8af0f01c304633452e0cef9

SHA1
1a074b81a828a5ba10e1e51d06f405d64c57cce6

SHA256
579bcba6ffb96e907e93d280067876da9f20c408a48f7cbcd37fc1ef50e02fbb

SHA512
5fc0a6c36bcd8595d916c9317c7ad2d3ec805782782586da0b1dc2dd6b29541a27c3c1c8fcdeac0a925d2e3a8b2e84a88cab25b5f4f658e562da954e7ab83ccb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
08eca90a04080b5119a1599fe556aa09

SHA1
b7d47b66f4c4705e0a0fddbd670a4905c883ac8e

SHA256
12835054becde8f5159da1fc2f35247b8d93e0d44220fa81c77624a468721513

SHA512
ffe4e3d423be7ebc1bafcfc14f294b9729f6349aac5a12c1b1223b67f87b92dd90228257e45e5ca7951dae281a776c907dcab83908c816255a4ab1017408aa8a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8e9771582fa4dbef8ef66d00da6bc20a

SHA1
46dd8783fc1fbbbeccd03945b27795c89c8fe350

SHA256
9c716478ce2dd97e0493df4a21b495a418c781aafca71d020c7434018a57c2e8

SHA512
ae2e8bc4a500bab0d72c22db578c985a961f2710a5cf7325d455a75ce1808181bf58001623cf1f9f2b6e4ef43e9c77933323e8623886435be2cbce7370232523

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b7a72420835128684f1efd586858ed53

SHA1
f8a4b41760004ffef350c8f9c09b04092104f3ef

SHA256
6e5962cb41ffd4bc7497ba0ac0e60ec89593610c013fad4ae6f5386adaf7987d

SHA512
2ff44feef21c46f5bff2dd0e2cb6ca56619cb95763eb6f2025a855769dceb9754b76a48750132f858c4dd2ffd9e3342bf7abe4483f2ed69c4fc4e09016e97bd5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
825ba78f15deab66c108522a12983c74

SHA1
4c2c678aa415c30c24e3ec99f5a00784ab322aba

SHA256
4a0c563f4a544bcf7ca54d0fe0bddf659e6de3ec72d3164bde9efb17b5fd8f1c

SHA512
49863ab32687a4a64cb66091851c421d696e060b06aff87f6eb86a4a575d8b374bb76ed08893e5a62814b5c83bac154a480a6a6d24e24105529ca1733f874966

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2a5a1d24eb591d1d2c33406117f66793

SHA1
61f71dad03279c9c75fd0df7732b646fe559d176

SHA256
b8a9836a9bea0a15182d2dbccfccc79fa5dd712c770ad85c457c321cb231266a

SHA512
e41c5b7d9b69347564edfe12d84cef4738d9fca261e1bafb5fb4bbb414b25bd2169c46ef6c31cfa19643f93eba5e590ee1674130804bc5763a323636aa792bf6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
18de6a2e29a82e1a3ba7532b9112c2b1

SHA1
00defbb97ec83393caaf3957d08042ceacc0d37e

SHA256
b97f1566ba0fadb80801f10f59d7fecfc2cc9c20fc6f1a186b154523d30c720e

SHA512
2dd96e5cc278b2404dcd3f8e0a1c0e6d048d7cb464373d68e7b00d5fdbd134f3d629eec5af839f7d5883b7c8bf9558b4ac35427c436cbb05fb0cd59ea6e54e03

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e75eaa4136bbc7f83996ebff2c48b08b

SHA1
61bc5368c72f251d530dc0d089977ea1419dd663

SHA256
049cf1ba9b7dcb8264e58643945c184ee026d6b3a70f275ef5837241cdb9b449

SHA512
6af63b6af4be7420e88a030914aa4d78fe3bb776f041bc4ed1f62bd0c77a039d0b1272a5a9406c1fd6aaffdaa5233f1034334a07becbaad4be9f4e80b5948883

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
69234b21638940ab3127208426675540

SHA1
105d03685b5152db01db976eb612b699c1eabb46

SHA256
81e6840e84449cdea5731a33035242417b9d8dce5c8aa8c0eea0d62cb087aa22

SHA512
34ec029a6b0675ab4e6e5081913c925ead4122c66ccc1c531cbbc734e8c35f9035d1ea7b639109b3848af4d868204022ffe605fe0af6191a9e4f92f7085bb28b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9812d68f2d565604d8a779e55e2a5b9f

SHA1
16d5e164853830a8b0f30c672367f073961dfb84

SHA256
c4818f0cb43c72b2892cebdc911402ca7a452e63fa4c61d69db4906268d153e0

SHA512
e7350d0a379849b991a7365aee76797c23c4b2ee844f62e937c99d2b09403f8b25dcc330cff23ce36d894d7933e8f88cf811e350a3dd651e09a639d8c7116b2c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7ff1a126a190a892269c914a1c26f757

SHA1
9c9c6d1330d760168a2a05af39df4ddbd5a6a58f

SHA256
ecf6f391a4348b11e563d2857777c978de04f19ef506f54a71b99c5069d851ba

SHA512
d396abccc9c1b69ea11ae6501891a1910f3584884c8d488afa657d353c58b65923766c6b9d9e37ce2c3b12f66dd8b325339279968807fefe21b1ab4f01512680

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ce72d2962256ba9617eb389ca621ddc3

SHA1
ea27769642e71b31bd15bd572593ede907d5ede2

SHA256
476a8be28ca9bca78aa36bd1497e28e610dfb8347a283c306cd7cbedda24cc10

SHA512
efaec999e4c01eff4a88324b42824d9c8020590ce1c811999a0c1dffbd32d6805e77caa457df363c5b2a99a64a08d6b30a9efde0814a59bd02306333c9cbcbce

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
00c4c3042731e684e563ac1356967e0f

SHA1
6239d48e88513849163f43d9832126e871f30142

SHA256
16f0b5bc9032c2a2f0f2a58bdea9307a9d1b40fbd0fdd5424a2c40fdfb31232d

SHA512
fee5b33aaf442675d73b3d2d6f07c3b1a548d91a609e60e0ce2b5910abcb1959185757133562e730addad2e5e31179b7fe245a72747964b732dc2fb9cb60214e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
59fb277b9fe4b81f7fd8370df2e3d431

SHA1
9aa2954f5738201cd429eb21e390636c09726323

SHA256
03c82d1fb90537abac76fa2144816f240bf9640d9e424bab2385ddd603924659

SHA512
ccc44ea4d1eddbd172c8acf4570a5debeacf68feeddc599761d4f41a9aa19a79d05f57e9d1be8a0b9d4c1706edb604b79d93627c7f9cb46854b1d13e212c60f8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
48c9e73df1ea980ffca457b57622175f

SHA1
976463ecc9d17674dec69a982fe1364d91fcceec

SHA256
131978bbc0fe458674c530bddc3b90437f3fd5aa53e35a63110e3b794e318454

SHA512
9c0df1996dc5104f21d7d9e0c8757263125863aa248dc85c00afe6d24587a3f6989ce04a927e734f75c2488410e2e209cf5e794bbebbe69e6d49938435ca61bd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f2c3e4ecc4054b989c758f9a852ccc00

SHA1
ef24965ffc673615e2223ab9245a08480177197a

SHA256
28d789b43b84ee1220cc13ceca66f2bbf8c56f6cecb7536df01535b3a826d68c

SHA512
77d37613ca19473e7f5a455d3c3a110a56c800a6a37aac7ac3215432a182b2d5a2a00f8eb8d56a1f584e6250e41e552a44cbb728ac66b2175b4c09d60212c8c6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bc54dde857697a383036f3051a70bf89

SHA1
76402d785db3e1aa02eef531f0a261c3a59dafb8

SHA256
afd57a92d87963c6012e20643d70a3cc2b2f8c37348841774ea10211b2bff7a7

SHA512
58045f21ed9c6aa76434d35a1e039487d38749cfd85de8b7a982a98b757e560668fb8c257b4f2a17679b71d8a6523f51f671fe800de762729970706e61a5b394

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
01f8ee44e14327a0dc548991705aa9a8

SHA1
b30326ce19dd43be66290a05cd94026c39f86d43

SHA256
35a1402db56981c63013de67631239ce12683bb47fbdc44e95ba00e9c6120a70

SHA512
b0ede0033d9bc93a8a719c4aada0e31207d03542eda3ea3799cb0046304ead86e2f265c26abd30f4eefb1422024ceb3755c36c0a153b1d607ae7209bfad04fd7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
99a6885c5f833d567c7007a63731dc8f

SHA1
5eb34a4cb0c0ebb2f61226e2bbc44967c879b6aa

SHA256
7b51187440ffed0f6cf6c1e626134c642c1266593859a07c53dc72f47d65d8e2

SHA512
72244fa579992f712d6ca908001efa9c17a1a25a9858ec7015ac182b8e219da6bf57bdc91a4e4d0f8c154f3e79b7c991fa6186838e8f56783c3ac000b1e82ca6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fd8b8f30c2a24bb8285cd167cbdcf324

SHA1
7fbec5297058809229dacefffcf2080b7ba819df

SHA256
df88354a2d334bc31719281ff87dbf9d336fa0cf887a40170733074ad7430430

SHA512
c6f56f3f1b720e544b2f05355da827ab745eb75b47c97cb0c598e9c0bc612293e323d52a25f1bde2442d9307ef23c1403e31330d47299df1aaf1bc67628ddda6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3e172fa57e0f959560e30db4a7ee8b75

SHA1
f5cfd18ba8595b04d63d779afc3633ef26f559a8

SHA256
14a7687fbcbde73bb92b9ec3a8e4d13d94a104b33c08f347bcd77069a115223b

SHA512
bb2d974396f8af7b57ef374a060c64f4c6850b715811f27b4b9a4e22e1f0e5dc80826e65cbfe57834bc0694ee7b698269f7eae2c91a13878729f514588f417ad

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
ae02be038f01931d5e9b5a13e1f3490d

SHA1
4518bcac95d4e333a96f1fad1aee4924bcce7f39

SHA256
ca38a59a38858742f729849a1d3432dfd03eb78b412ee3397e85d7736041e3ce

SHA512
58151a711386511cecd059f53c651e069de8ba32bf260bc5075e4a17d9462f4940963c49ef1321de57d1ec78a7e0f9a284a83407a692edff9be98554ab8a8c46

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
66b3f354b89fb2b47730495bbe3f4887

SHA1
a8e8d796c9e59bdf23f74e0aeaab950b248fa014

SHA256
0af9567f339acaa0a987c1bcb60960cd0d2c4f3a87d7cb3860562c09d7bfa2e5

SHA512
48733ab878392ff0e4f04a516e64b304b9f5ff14207384f05f8a1bef4361eafc3bb8da688a75a9e98ba842e1b9cb8b325536a5337d2e1b3901ce2015ebe30d3f

Download Submit
memory/536-192-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/536-446-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/948-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/948-482-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1260-255-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1260-135-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1420-553-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1420-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1512-1-0x0000000000B10000-0x0000000000B76000-memory.dmp

Filesize
408KB

Download
memory/1512-8-0x0000000000B10000-0x0000000000B76000-memory.dmp

Filesize
408KB

Download
memory/1512-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1512-98-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1680-125-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1680-234-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1800-375-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1800-161-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1892-87-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-85-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1892-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1892-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1892-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2292-50-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2292-51-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2292-180-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2292-57-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3108-509-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3108-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3268-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3268-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3268-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3320-265-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3320-546-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3668-205-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3668-471-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3976-146-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3976-264-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4176-101-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4388-545-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4388-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4472-84-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4472-72-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4472-78-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4472-82-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4492-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4492-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4728-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4764-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4764-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4764-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4764-100-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4848-114-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4848-228-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4936-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4936-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4936-34-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5096-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download