77b0d6fe6bef110186084c6f3ed89f045e2396cfb7d5fb8fffee8daa2da08513

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Size

1.8MB
MD5

3d28aded4f760e7cd79a7bf7eeb8c484
SHA1

ab77083bf6f51f5e1d2cd47b6f63bc771a03dc8c
SHA256

77b0d6fe6bef110186084c6f3ed89f045e2396cfb7d5fb8fffee8daa2da08513
SHA512

73de311b9d738e2472cf65e6aa3e63ad6474a5a7c7d83393145694fdaf95880c5ab61d1c7f415ab71e1a682ee5ab1328c399373ba27d39367bdccd031f46bdf7
SSDEEP

24576:d30wJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNn86J17W8CX32+KJNA80T:dE19+ApwXk1QE1RzsEQPaxHNVcW+S8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4628	alg.exe
3288	DiagnosticsHub.StandardCollector.Service.exe
4772	fxssvc.exe
4804	elevation_service.exe
1552	elevation_service.exe
3064	maintenanceservice.exe
740	msdtc.exe
540	OSE.EXE
3936	PerceptionSimulationService.exe
1212	perfhost.exe
3516	locator.exe
2208	SensorDataService.exe
3468	snmptrap.exe
4284	spectrum.exe
2172	ssh-agent.exe
3328	TieringEngineService.exe
1060	AgentService.exe
1768	vds.exe
3776	vssvc.exe
2320	wbengine.exe
4636	WmiApSrv.exe
2792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a4f147aa8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e89e0f5e6aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a570cf5e6aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030e4b8f4e6aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000277cd8f6e6aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000229f96f5e6aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055f5aff6e6aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e89e0f5e6aada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeAuditPrivilege	4772	fxssvc.exe
Token: SeRestorePrivilege	3328	TieringEngineService.exe
Token: SeManageVolumePrivilege	3328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1060	AgentService.exe
Token: SeBackupPrivilege	3776	vssvc.exe
Token: SeRestorePrivilege	3776	vssvc.exe
Token: SeAuditPrivilege	3776	vssvc.exe
Token: SeBackupPrivilege	2320	wbengine.exe
Token: SeRestorePrivilege	2320	wbengine.exe
Token: SeSecurityPrivilege	2320	wbengine.exe
Token: 33	2792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeDebugPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeDebugPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeDebugPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeDebugPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeDebugPrivilege	1008	2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
Token: SeDebugPrivilege	4628	alg.exe
Token: SeDebugPrivilege	4628	alg.exe
Token: SeDebugPrivilege	4628	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 4492	2792	SearchIndexer.exe	114
PID 2792 wrote to memory of 4492	2792	SearchIndexer.exe	114
PID 2792 wrote to memory of 3020	2792	SearchIndexer.exe	115
PID 2792 wrote to memory of 3020	2792	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_3d28aded4f760e7cd79a7bf7eeb8c484_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4819f6deb21a75d669166ced7d98bf5d

SHA1
ba54eb20e907cb1b02070a63c2712c5f887bacd0

SHA256
bbd45e8b42d79899a50ece2b386656225c289984750756c107322617b4d7073f

SHA512
f4faa66267df62e1f4409fe92a877ab69110c2585a63ab1e2301d54ecebc2949da2cf92b0c9071f7d830fa2cfa6f8cffbcb3eca855956edab22552226ea1a61b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0b25aa2d17ce83796d82ae4d2351faf7

SHA1
f2e0934b9e104ea1c34de7890639768b39c72279

SHA256
965cca50bce402a6e962ad7a4d14b9e70a6d2e4c4230149c54085681bdc3e302

SHA512
484d15b60704fbfa022235be8671bf8f99dab102bbb97313c08bb9296f82812ea913313048cd7fe085f54af50f62320ac96f0867bc93d5f2463fdbdae437f61f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
29495afdb45c4c2e39dfd667805c8797

SHA1
1e05fbedce983a0c14337b1bc79a5d52edb970f2

SHA256
9b8b67a419c0223b5d7c8cdfe99cea5d62215d6d07bfec71b92eab37c65b15a3

SHA512
7d061f03b0ba6e3f24e09f22b1269981cc3061a060d8602f921bf2e612d2f9beb5bd1245b49ebad5e355d6331e86946536da60cb047fd58aec881868a44d4752

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
846f23868e208694fed3fae1aec8d3b5

SHA1
3faa9190f9283584947f9550de837cc6a54d0b7c

SHA256
b5112d0ad7ea5af0f81b59953500c3c47b997d30c72cc625d49bd59c6b1ada02

SHA512
163adabb340093712cfc9aac8188ff78de3264637ac2df499fb76a4bba91707c8c9f5c2b9260263a1d20e042ee062789dd87f983e120bfc2f966df5f630a0764

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
abb3d4a42960cc3e837d3b8f53b982f2

SHA1
de338039caae2b305fb0ec375890190c4c8a9fbc

SHA256
b51e5adff4eb13ec4227cb6ae158424f30691319895426907577f8da10e5ba90

SHA512
44e33b505b4dad6c2c16d3aa023b2a06d3b9ae55b68420211c9c53b9c94aed267d0122881d7b21ca24331b064c38a13fd508c98426fec6bf53a8d9c8d9e6032c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
20ae24ad6b30a523631c2da60056390b

SHA1
0c17fb6289e9355c982773fbffefed6a711ee0a1

SHA256
e2704cb758c3e121e48afc92776a5efecf1bfde5e672ba2d8ab1bdadb214f77b

SHA512
a28414db3b04252adecad0a2d82d84a150a5e879110dd508e3e1bd08614c9f129bbaf2ca00f43aba7190740786757d04c43d4e5bdd07bc54c8787133ae61d8f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
04732589057c397bdb34ad1f5f61ec7a

SHA1
9d321e5f05e2f41dc448ff050d17f8525698ca85

SHA256
2bce53d9a011339eeb0eb5497324df342dd9f1e2650b5584db352c2d47ddc233

SHA512
cb058ef213e5c31ac29951b660a5c201e4dde5938e0a9bfe5baf7327cfcd6813f4ffb71ec3aec9fc98d882c342317953edbb5d3a1db739f0d8df1a61f003bbd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
092864ae0ed08c3a8e151627eec25f49

SHA1
4c54d00863cdf8f5ad00b3dc6addcbc3f659f937

SHA256
1c951153929cc681d0e2269db3506e78f8ef9d84e44191bab25c05a0c773857c

SHA512
ad6fc940da4fadf40baea0cf39fe46767daf7bc393c4f9c25cf13b27fad3844530c76ada3a0695c8a777e296da9d588b548e948128a31cc0933a595e5772ff8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8a77bb2e45045708fcf93109928695d4

SHA1
b874fdcc972f8642b47b6b8cb9ca3707c69beeb1

SHA256
b0a0858f3d1d124921d8ca73350665af632322d4eb2477dd404b6927daa30802

SHA512
824ee18189132aa75e5cfc02408f7e6db81b3569001739f9abf5b06bf5e0d33401a5090faca74fca9a39c5b5508c4b7203a1dc14eca8cbf05d880d1e8c6b2cd9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
eb21aa606727050842c21fa79c5ca621

SHA1
0977779481aa35269e63d068d8c31ff6c78e946a

SHA256
8c6046248ad10bb12d550fed536fe01a19f7c8430a7bf93e959e6d03df652841

SHA512
38a0aa591209fcec49b8c96dde82297ddeb591e4dfb2064ae9fa90e56aa1f7fb5845ced990969f447bbacc3a3ffe6c9c0067e54d5e5f880f68ea416d63bf54d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3c9de315eb343ea2d695318140349b3c

SHA1
dd1677e8dfba9176df9ec733c65571eea4d6dee2

SHA256
c4a3b6f82f0b828ceda552ad40e4180774772ac4f695aae4ac19f61394d8b846

SHA512
6fe495877231b6ab65524f4f348ed9b6a06b489f3a97366cac16a3f9e245225cfc9294108300ffceee8322ddc9b8224065fe1429e913270662e26b4151b7da3b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
58b412c5dbd2bed727cb624d85767f8b

SHA1
419bbbc9a7d3c6d5800952252654d1ffbff278f0

SHA256
4f8fdf720c92e67704e1837f3829f52916f3d3ee9bda5d2bb571e02d79edeab8

SHA512
04dea47157d0d0e1a6a5a5e945e580e296ccc7288d8b73605779a79268cd55cc389bf56effae5b52769955bc8d44e4c9fa8fa76b98e2df51f06006cbbc09ddb1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
669578e10b8f83db8f87037fc841247b

SHA1
068787e89172eca63e1c25e1eeeeb308be988bc0

SHA256
07b00a48dad32053e2c43203064db34a3e3cf4d5294a2c2aa4cef3c6f5176181

SHA512
b15cb74078be7d3b9bdadbdcf5584b26263feb0b2d10f81550ec08f4c9da61e35d401d44aadbd051736cd5070d8cb2fadc94f5f986dcf9187eb40472a068366c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
144a5e04013285adbce11eabeb105c1e

SHA1
1e92e375ec3ae8ef308be41747463e3042a4c1b2

SHA256
ae58c6a7902d0a9c0d531374b31be216ae5e9b7e010f4804e4afe51dcaaa5765

SHA512
bdf1f6da968beff8b621c6c1a9e022ba925e9daa00ff9bb53bbf4791ec1916e3f6dddab8e979c43875db4e38c2dd9acd8112a9be11f754f765b38da894f82a54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
71eaea19f8ff505e3527233c31eced0d

SHA1
cb99057329fc5fbb30b5a33c7622e62db1300d55

SHA256
6535e2f8626784522a5dd9eab2135483e9eef833aa5e7286da5581d17ee1217d

SHA512
7567a0db9232c44fb880dade86b2acb44cf30edc496087f223da369d620c074c190518feb54b48953b2251df35e60c1138d95504b7a85fd6312681599242fb28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4d93adce50f60430f38faea79ed08de

SHA1
53660579ad0b5afe296e1584078a7cb7250852d7

SHA256
a07a6eb971835a4d07727c35eea5d4953a090f861c83a442813588facf98f799

SHA512
4b9596e68af5c0c4ba8e9a2039a052502dc12070306c6fc71cd86967b22cec190a2408f372179ee179a0884ff4d7270dce5e75129b5755ecaa22f35ede54d2fb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
42a8ae289ba9cc5fcfb50fee2162a314

SHA1
d9434b92fb20cf9470afe901d75bd1f2fb3f0da7

SHA256
43c53931763b387a03d81697da2301751c138ffd374557f4f764a7b72666b6d3

SHA512
81988d348ff4d3e11a0c1c53cc217aa86bffca717fe8d9dc479439c30a2889ef5c417a62a9f068e0ac366e311e5d9e076dad4a8827d205d89b12360ec88908fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b2a6439ec41e80d00ac99642c9d67637

SHA1
a65c014f2b0c9484fad08bf04a401e8bdcc365c5

SHA256
07641e54dcc6890163800b33b34ea90bbfbc2376df23b23bb8d8c1d44c60b82e

SHA512
c0b99dd0ead1194cfd3552faa0bbfd21edeb388ddd78730459ac4534f6a83d1e22f0d29fc8459c2af59c1fae92dd02640dbb452ea16b10caaced11250f7182af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4d2b61cc85735819cc33ec200cc3098c

SHA1
b87d6e8541a1a6d9cf3dc88f62715bb2ef92bc38

SHA256
37d1fecc96cb0a6b3e2f9584be259c72ba408ddc636a83a197fd7e35c684a97e

SHA512
55afb82f410dc328f62ed6a057c362ebc9dafb84164e79a9815923b7a03719ede7927698b178da1da554421a4e8b045c12ffe11ce480ea35736052855cf9f71e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
525857e99990ae1716e88366a5d94a43

SHA1
6f111f7b75775f59a2c94942e268292dd0e0b7c5

SHA256
93d8007a3faab98149d6d9be9dfdae6dc6cc1563f28a81ffe765c580e7b14b2b

SHA512
a3350adaa01c2a167e9c2948132d265e05e43e6e5a966f98e1b583fe3eb2050f1177825c59c9ee81c11728c16bfe35146b32ef10c6e1af98068c7d9abeb795eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
91ee6b84dcc0cfdc4517274d286e3fa1

SHA1
90ccff62fbc2025f81fa686f5f6090b932b329a1

SHA256
b49a52c9c2e84f960c7f83a1bc4d28b4483a68728c001541d6679e40e1210b5f

SHA512
61879f2fd801d357f27ab0882e8d8727e8879e74f05f006a1a55430f4b89aac979d1a76d191f6faa6808e57b484862b52bdd8d1d58634267245d85811154cd0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
976a130a2f4dddc4495e6eec2f8f3ced

SHA1
66b4436dc6a2f79cf86d15412399ff551eab2367

SHA256
8c97e3f85bfe820e73a89460d1555be7c225d28cc4e12fd60d4956fa62312013

SHA512
67f650477760d4a7441fcd46b01066ef21a265c889548dce7f4f7541d105228f7c2ef34a92fc46b9df345ba69ee20888b19ee80f7940446f7b7dae8744ac079d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f6d605c06334acf2d5cd2e76a1d80bd6

SHA1
9b0bf2cd8e2f2e3d35cc31fd89a9d92cad6259aa

SHA256
54cdefb1f77c3e695b31b84530af79739f556d574791ade19973a38257f4c4f7

SHA512
d0db5bb01cada6a6d07dc47d7b9755244d1f366afb2cfff427f6674e6a83d6113d3f755358d5844969ec8138651b88d64d369909f54bf96980bf504252ac63d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
094a5b369a023cf27e055f5cd396ce17

SHA1
bfc90dfa4e7f7a78bc305747a5be107a855b8ab9

SHA256
442a0076febdb9d0d9a93f2ca4c9e40a27b4e4b0a07ac5247651b4306b8111bb

SHA512
6fb4c6d8c8592a7abea665a22c95ed7cd3f3a1c0fa9e954f90650cbedfeb144cfdccac19ef1daec7482f0eca558fada5a766e84a1a6aeb998b8fa1e110d99226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f13f4a26b088d024e366062befc8815b

SHA1
3fe95e55a568b890c13906880ce1308267e085bf

SHA256
6259f481f11cb7a2f73af5ee16c3dfe9f1ebdeb0b04c6c744feaa81d70be582a

SHA512
ecbc4005383069b2d7b94b6486291260e01af4044d5aa814e598860ef45d7d276fa5b07248cfc2d691aef38c6333a458ccff8dc9a1cb06d0fe4da5f18b2091ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3b32a305d0c1f68b4968d926dc7615ac

SHA1
30b8381da4128cf275b45c7623d531c057b506ae

SHA256
dfe1c217a21efce6a124fcea193a4f4f23775e24bbab8b37712ea500f9fdf480

SHA512
4127285ac6269841e007a44dc98b691719ab36fee16ac2a3fca80a321899a2ad324c7b216e372071ee1f5ea7f15ca42fb7145409c589b31e75ae91a9b4483c3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3af28c8db5eb1e947667728c8df111ea

SHA1
51d088852c24194a1c3516a40b02845ccd05f618

SHA256
b6d81cf0fe57e65d6a0f7d06a085dc723ce79b535f5aeb8f7be4db1aaa287d7d

SHA512
342976e4f5a7a12885956c3d0603b6beda3ae28353c28611dd2613391e89df024a8e457a6037d3b5b84fc096d2a45341d2111f4c14cbca2d0cef4247260ab3bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
81728016f4d87c04a7353f53962e0cee

SHA1
d98e36b62e6f102d60fab79998837d39114fa998

SHA256
faf50cc29aa19ac4fc6d5ce81f05664636227507fc2ba84b4ab736af8a3c0b3f

SHA512
fe84957f84698f086649a9cca0d0d3b632681b536fe97ef473c3d718ec856354781aad2b235871fc432a1b0a2de204814fd2e00d9d922cb8d073811cff33bbe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8596ff0a241b07b2b77c2cd925680285

SHA1
5db5f5f24b236e7b4abefc7dd5545051df31c38b

SHA256
288c3d40113efadc084a3453e048d592efe30cd544f0003ac3938fd2d0391c93

SHA512
7139e4d35005cc01ad86d7baaf8a1b6a9e3f31843f6ad112d2409efe18087949d41c49db95c2ef9ba57c7855e7f4219aeb28ff7a5fbcab1a5acf772f2238ebb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ef01585c9971fe1ba7441a84ae0369a1

SHA1
f4a09ea423f66e7a6418a0da35583c4ff2481db2

SHA256
3ed906e1821c49ca84ea051b88b1dc622ef2208eb504103e1fab02e6f1d97ce5

SHA512
a1605a157d443ef52d588d91fef86453c342becc1a34f02a34a5b9f29b72e03d5f2edd1583f836e3ef03e035dcba7f91f848803cd4cd6620d6db1ab6a75520c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1a8b45e6eedfd131001114ce24010baa

SHA1
53cb5d795264b99ed0582e8c7bac447076945436

SHA256
a08beb84037d1540de15c84409bedfdf329b3c00caa04339ca38bbd858d1b12e

SHA512
4e02fd5af55f65b33a3e2a569ce9fa6600258a3b0b1a47ed0eea47419876dc1846ca9f4d3ea9f059eabe3fa8ebe9c14ee6981ce94c86109ff2c8b54674497479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bc0fcd333f5e7e1f777ff86ca85977c6

SHA1
4daf53c9378f251bf702db8a07d9d7e2eb0781f1

SHA256
bd1b3dfefacb3c87defc6adfe75bc0d6d4d2c34eb8c3d822d185e6d0199870dd

SHA512
2b123ee4fcadf490860119de99c9cfcb6a56ca248464ae0c6d2f1b462e4492476b1ca78abcd0f26fa82e979464c443da8cec2235703936cc33b0032a96dcebe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7faa691faee9f428890a8883e36b96e3

SHA1
1a097891ae9e83068850fde194d4ce821f09c1ab

SHA256
e472263e1d52d054d378145c9e898c0e579b6ab874f61de31612fef744df7b2d

SHA512
45b971e7314bdb540dc2f9ed31e9f40ccb908d479985054a62cce3acec9164828e03ca26d82202c207ab1086dddc68421adfdeb84387e01b3c9f47e59bf0829e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5e14e1add08a8cbd95313849d34afd01

SHA1
0d5902d5c671dc1a2efd229281abf4750821375e

SHA256
7ed0433c6e4f4f377ed2560d17da9dfec17b1bb2e1cb4eea0a4b06cf534c5c8a

SHA512
b743ef858d3420a50a08b43e685236f5e56e9b19ced842e06a479e496116c02bc22a5e9480806e868a4392b1c0864959aace648339adde19651a63d8e105b6ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6ef300803fa886cef203c689190fa402

SHA1
c8695eb8f565f2bfc9585c60759d7f7415573e98

SHA256
ebef688b261587314bbe4862c7eea20cb4ba97341d8eeeb286a155026c61a200

SHA512
8d21b696a11423286a4d70083de3a6a3f878342352e91bede4c920a0e034605ccf17f3f9d007cfbd19c0dffd938698ea63730fd83edf1a1985905f516ca36cb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e830ff8af34427debd4e4b2c20af2944

SHA1
5e345c7b21546d4526ad539431eee7c7e9a0d868

SHA256
2ef8cb3d1d0254c0214b70a21545d42d83878a3f1dc26be21a8260fac101d028

SHA512
81ba3b8e771fb24b2bfe52f8043f0394b339aaa712ca4c8dc139fe1a2fe6ea09ee58c62786c31915860b9bad7383bd7fa5fede9c5b940b116f62ff19e8551210

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
70daaeed441767a087863490144fbd8f

SHA1
dfadad7d866e0b8580f9acda801285b6d57ae752

SHA256
1b3417cf3eb7398cc4843ae4fa67ecd4b035d6529258931dd20ea50b2d1bd90d

SHA512
f61f003e59a4910d4f42b9acaeacf8e77cf07d767b8960812b500b332fa0199114dee7f12e2502b582231e74888c1706db15c3398dfb027a86af2f0ba41f1eda

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c40cd1bc61f5cb97267558624f22ea72

SHA1
4da17fccd302f4405d4deb1f67a7aeea47b68b85

SHA256
894d48bd9abae328f68ac001dbdffed055c3ff2991b5af9349b530d5cc30edef

SHA512
ec9dfa0e5ac71e1bd84e75d9db746461cc746a1e015aa995ec00b1d8d5bf04b7bdf485aa1fbf39e8be62b760b4d3bbc5e8ad8c87b1c11db01079609ea0a7fc2e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e39fc063b208f850d775cfaf769f156d

SHA1
8036fb0f5322af571b5143edfd3d81de167c8956

SHA256
eec68fd0d3cfcbd3dcc5ce022a71708847b069354f9c4ec2cadc8d019d2478bd

SHA512
beca7ee91d57850ebdb33fbf9b2b79e9577151d5533f96a5dfe3242542f709f1c027ca4af7f01469450bc5710ac3a70924d7ca56dfe9f20a0d2cca2c3d3486cb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6912176d8df0f459989e5f112659a81c

SHA1
42901e5ba41d9848c1bc13a7536ca23c1d89bed2

SHA256
2f90f3609344f4c07311773396366a1adb9ac85e0fd9e0f9e7838aca79dd41b2

SHA512
7dff0e7a0f6ab66d322aa22ab1c568df118b3bc6bf4ecd01caf6020b19e5660c28fefdb4ef2832ec1c7722689310deb563fd4394a6dacfd1556f6b1be596083b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
89e53782a1b88334983bb93afc24a368

SHA1
089dc5f800a45384787976a8bc474c26c518b4b2

SHA256
76f20025c35e33fcd3d7aab06fc2857d4cf8cafd27861c2e59c080f5ba9a9aba

SHA512
d46eec26b3ecbf5de960f47584a87e684fcbffe1b5184c3d283baeb7fc93af96951ce7aaeabca9c6429445baccf638ffb89eababaffed7e2f8987ceb584a85ce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f1907b9d6f8c2761523a3c47f458a2a

SHA1
ee42ef45b931c7a1c22214546c4013435b8186d8

SHA256
bc92cdb137febc284c62a4144289ed065520bb8863d1a269d8032dddc022ec0a

SHA512
738303687c9590b7adbc001131eabe23022af331d3e968e3d541f783c6a8e97095b4d4703067a16b25ccd729e53919df65c3f35fdf821a53c7b47af207c67b24

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
86fa6f6cf83972845f892d82dcdf5b3f

SHA1
5dd99820da8333ce698798d806021024237c16a8

SHA256
c918419a6574ac6bc9ee30e55bc2b00b7ce7c8e4bbe39d0e0f190e6a33974c54

SHA512
97258d1d43aa407d601314ffb1afe8891443af42016cd54986f157203ccbf0b3598280f7a97bbd318ddbb47d06428404c0a69de54dbb63b32883f95f16b9da84

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ddf2adf0fdda906ea8ff1728b6f847cc

SHA1
bce5e10a8cd9304e4e8174fb8ec547e0367cc4e4

SHA256
40eb7c0e9e6134fdb70435b3992fcd0430d0b41bf675c1f5fe963061a6ccc164

SHA512
ac45c88c8be69ca6b21994d3037ce0e016255011ea20471f83e9bb2b6eeb552fd35bc79ecdccc1076110f0c5ba4016551d20336a09cf44a11a98c52757e4990f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cfbabea855197cca7cb2612363890d04

SHA1
41643e753a406f30135689631aaadd4b841bfa46

SHA256
beb502aa4b7c007e446a9a57fe9a32927d5f93099924d752af376adb45ba5e35

SHA512
d745de7693cbd6918ca3bf556558ed8334d5857a231e2b17487ae765bb8e39fd18750786c7a55a685464e72f92d98688a44bb7cd05cb77e0184b98f8678638d7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ede4cba525298a791f00dc0956a688e2

SHA1
46e9b57eb89f1774212858ed3ad4129929217571

SHA256
98bec70c51da5365d99959f7f10fa9c731ef225e889b1b0ed8fd3cb63220935b

SHA512
9fe4553b8b4217f0109d6b92868829bcfd0b63548c31ddf9a8fd74c6b46440b071ea3914a56560d3b3971d7c7cc9aa565efd422d71b89687e813e37306bd812f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6374e6e1a171b03dc78fcde88e068963

SHA1
8470b9b102c0cf24218b6d382e142794b8283776

SHA256
dbfe91c7b98a45eb4f2be43ca5a995fd1dfb679c56b445831e6ea69d75251b0a

SHA512
ba6952b6d20b2a2489d1c9fad77842165ef77e9df6b03dfcedfff4e3ad499f5210c1a9b47a3bb2036c3cd43e46e075e24214e45a4286751817ba7dcb588927f5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6ccaad4330a30093e4a92d549acb10ec

SHA1
5c3e3945221dbc3e1173a1c281b725ea9554ff3c

SHA256
acfc66260e2e06dbb5b171a414cce78bf5dc88449e10b3bb8858daccfe0b7096

SHA512
784e5a1a405d58a744967536d8171d99312c353045dd9661c17e89ff61ac59672daab3c6c36049d06225c05548ae6a89accbf6f9cc4f980d410c85e4e1bb8ae4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
66ef2c5c4112db2de24ab5e67e0b0e01

SHA1
48db6dd9e579a5843602473dba26025c26729d5f

SHA256
5da88de6abbe50e489a53d9cb2ab8cbff6c2cf4b7f4964f41f6fb49d9ecc1430

SHA512
5dcd0f342a4957c2dc0766ed4e7b7bf40641a32384a1edb8b426c4203a862ffe28324bb70358f34f5ecaf0a3c760b304ff4187b8a34f7b1538474d38d408c6bf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44e025b1347cfe12518d16989873df27

SHA1
3a57904627bdcb51a0f9c1c26b0751bec64547e9

SHA256
df80dfbc9af9c78ae42013802fb4a806271fa86ec92f441b5da09f4b4c9b7db0

SHA512
5ff58fa7230ed6c34fa46742d95ad497fd990f512580caea1301ab1630c2efa2e8d51776801f3cad31e5309f2f14981c623da04fcccb1a339ad758cc6e0e51c1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bdd9cb8daceda81176328029e5f294a7

SHA1
afb5d1acfe00579281a66ef8707f4b4c85900fb0

SHA256
9faefef27788f8c007445b84c08d7adc0ef6bcbb5519a9d275e5182f4632cec2

SHA512
fe0ffd8fd8f0cd9ab2062872dcc14e3afede54113667039936c76902483d77a9dfa0307c01b7752ad95c0608e88173a9617d084457a38fcd7267e871a96e8e4a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
358ba22185a4f0b86351bead9a25fc4a

SHA1
32d523a9b7258a591a837fabe5c80596e1a29940

SHA256
99028d526ddd0405305ab75807fadeee47a340467540abed3efd7c75323ec09f

SHA512
7a56d869b730ae201124e1b5c80d5c7675edda3defa524cedb8d2cb176911795bb7e1add9359948b3780e29fc82467a47c19d0217aad581ceb82d3e577d74a8d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a3e26b1b20ad1edc1927238312417ad7

SHA1
5952fc25f262f04e7d2df2674a61b50c89843b1b

SHA256
49d26742c4792f728962c7e60f184eaf1611db009f7a6735e000d6573585eb8c

SHA512
b4623830062c9584da7742dc01e4eb2f26feb7ea57660f97238e829838481f52c8ae46acf4c42a8d01b1a797fa09dbe0a51e315a0d7db70bf8a7c9286dfd40e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
019a71f6561de7ae55439b25b7fe8a23

SHA1
2b71b41d5b04adf77bd80b4246265509bb859a85

SHA256
66101e6a82c6e9fba231b518e4ab79a929634562b06d4a269f687d7cc526eae2

SHA512
194f685fa5396f6fdaafe22ce10a00249dba0e7a1f4f22902aca34e5e3ea6f54078158b957ff052bc8d1d60717a4e5a62e022f6d902c1d513609b0b91995585e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b8e92ee2184042c1a1a916dde5df9ed7

SHA1
e4b9ea009665de167a6bf5c5a045d3c31dc37ee8

SHA256
c8010b0be9e7b498013c6e35c651b00659fdcff982c45be9e2964012aef2f768

SHA512
233fc5093d37161a53dc5ebf66ce10be30b60ec79399f419e8c739af39ecb576234e75f0c4560e3f53f68f3370a6c68923a09417b268374729b01abfe81ac25c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f76cb47c9cf042c1e4d180c9ff1776b3

SHA1
1853f785c00ebda79d70575013d9edbfb1fb3966

SHA256
d97281f0e0c249b0e70e22edb75a2c7efd0fa1d0dd12e56491ab7bc4c04a9bce

SHA512
af9de5a9aba444e821f5de36b2c620c57b6d605c9192f7e5fd1b76acb7ecb353535a12fbbed441b85006e9e2a8003dae5144cb2d86ae9b72792fdd01da1141ef

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e96d974f8c3222847b7aa7d0009604c9

SHA1
31b340e022372d48c77d84c52b210426962ebe25

SHA256
f04e2085e58750416409c3d4ff4404567e03afec2001900ff2bf0904918368f6

SHA512
5c2afae437327b503d3248c7a6dbeaa14267fc9630e9129995177f87057b2fa42cef7fc7c2e6ad988782135a4bef2f7ac39bde067a66b937a3aa5c1cc68ec4e8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5e0a0d470c969e656e6c7c17592aaea3

SHA1
bef5f85c30a4475cbffb2ea0215040839b8e18ae

SHA256
4aead92af92e66cb5f71c96704d295da7f8c03ed2255d93a93f867381cd8e40c

SHA512
b85a4c4173660ae50315193fa69dc76feb46fd59eb645c44bd86fd100522c719e301dd3d7456b455e51810a80ebfce64c34ce8a20b0971a7ad8e62033ca9c6ba

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f23c70996a7e0f100245b6fcb6643367

SHA1
d22b0cbb3b026016c477d5e00632849c86d8e63f

SHA256
12b9308b0222564f00f0b4304934fa0471e17428e9126094741bc4035ceb568a

SHA512
66fa7b2ea0c8ef37a97b1ae3285473413fc6ba833149978f53db5596771c5a89cb5f6d2e401eb69baec565119cf72ad54d4f4064d2ca111893955756c76e9918

Download Submit
memory/540-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/540-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/740-216-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/740-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/740-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1008-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1008-1-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/1008-6-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/1008-88-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1060-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1060-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1212-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1212-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1552-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-193-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1768-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1768-646-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2172-640-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2172-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2208-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2320-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2792-653-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3064-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3064-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3064-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3064-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3064-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3288-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3288-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3288-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3288-26-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3328-644-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3328-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3468-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3468-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3516-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3516-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3776-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3776-647-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3936-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3936-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4284-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4628-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4628-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4628-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4628-121-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4636-652-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4636-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4772-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4772-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4772-36-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4772-46-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4772-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4804-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4804-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4804-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4804-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download