2dddb4acb483760d791090be11a0542e4c8c4d905d250fb544d7b72fd0b418aa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Size

712KB
MD5

b7aa3ab3fdfefbacf01b306b42ce5dfd
SHA1

a4cfdacffcb10ca33856f03f0c636d8de5278077
SHA256

2dddb4acb483760d791090be11a0542e4c8c4d905d250fb544d7b72fd0b418aa
SHA512

6b3c5d9ec6789bb585ba1e02c98c13294433e183c19cfcafcf22ec9651895c12b791141227f99fb1b99d9861de6471829b5696c3222fbfed1d9d4e9cf80f45f1
SSDEEP

12288:7tOw6BaimqmFrfBCgiw4bivhqGoj85sVPL5qw+DC:J6BiqMrfUgYbkhqfj8uqw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1388	alg.exe
2664	DiagnosticsHub.StandardCollector.Service.exe
2740	fxssvc.exe
2280	elevation_service.exe
4516	elevation_service.exe
556	maintenanceservice.exe
3648	msdtc.exe
2420	OSE.EXE
2088	PerceptionSimulationService.exe
4124	perfhost.exe
552	locator.exe
2108	SensorDataService.exe
4588	snmptrap.exe
5092	spectrum.exe
3196	ssh-agent.exe
4568	TieringEngineService.exe
2988	AgentService.exe
2788	vds.exe
4356	vssvc.exe
2512	wbengine.exe
1164	WmiApSrv.exe
4484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76a83b14e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e48d94cd9b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000377ae84bd9b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005762514cd9b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b02b74dd9b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aaadb4cd9b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b688584cd9b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031eb5a4cd9b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeAuditPrivilege	2740	fxssvc.exe
Token: SeRestorePrivilege	4568	TieringEngineService.exe
Token: SeManageVolumePrivilege	4568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2988	AgentService.exe
Token: SeBackupPrivilege	4356	vssvc.exe
Token: SeRestorePrivilege	4356	vssvc.exe
Token: SeAuditPrivilege	4356	vssvc.exe
Token: SeBackupPrivilege	2512	wbengine.exe
Token: SeRestorePrivilege	2512	wbengine.exe
Token: SeSecurityPrivilege	2512	wbengine.exe
Token: 33	4484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeDebugPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeDebugPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeDebugPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeDebugPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeDebugPrivilege	376	2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
Token: SeDebugPrivilege	1388	alg.exe
Token: SeDebugPrivilege	1388	alg.exe
Token: SeDebugPrivilege	1388	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3680	4484	SearchIndexer.exe	108
PID 4484 wrote to memory of 3680	4484	SearchIndexer.exe	108
PID 4484 wrote to memory of 1872	4484	SearchIndexer.exe	109
PID 4484 wrote to memory of 1872	4484	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_b7aa3ab3fdfefbacf01b306b42ce5dfd_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5092

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
08c4faa9f3f761a85837ca076c20f4fc

SHA1
a381fe9e5ee9dfb152884445eebfeacfe04d52cb

SHA256
c23bb9c233c7be5512a3572bb38ca478f1d8ed314c05156444fa3689c81c16c6

SHA512
ec69e5034ba678829780c5a36313a419afddad68cf28896971321422a83f35dc3ab4b3575d87d78aa16752e419ddbc51dd2d9cb29f1e3ea44dc64ae363a64c22

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
917d34117b8540d2f517747940ef9528

SHA1
a4d269a7aa2c0e735e1c797ddf62c1cf28223462

SHA256
cfa6b140b534ab11ab03e266e8299dc59edf0fa40356aa464bf36eff1a29ff99

SHA512
2b9311a56373a3d2d90bf0ef6452c1d97ab7cbe5acbaf165a881fdaa3ce0ca48c0e7d633799f5b88b9c1d1e262d59730b86bba6c4c6898229695217957fdf709

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3da6c58c70731a450007cdd282ad9125

SHA1
7612be43ea4ad3bfac0025987dc0e73bc2c3198f

SHA256
8e6305522f248ac962cb48c2efd54b41c65ceb5fab1618f45add274a79fea6c2

SHA512
60208891d9729d73c4c8bc95f1acda7ea728549a0734f984f46862725ddd2068b36055856143e4b44a757d684ee38b20d1805ed7e129a122a2bc46fdb1edaa9f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9b931eae40121f166b1465bc0d09cffb

SHA1
de9485f34b78dca5695a757611412b9fa201f3ca

SHA256
3452547033e4617f993d570ab76e440c5f8f7d82e8f9d099e7f8c167d6b06626

SHA512
47ebc3a5fce3432af403392ae44f66a563b254dff827f62dc72e03c5b80796ca16bcb2ae81c7d9446da3255db85c1e5a5c234552722275ec9d174046d0af16fa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
707bebf196a341f456fcede8a017d954

SHA1
57a02f81a7524132c51a16b122bf473879b354d3

SHA256
e5f5849201219fc975e5162615f3720a725d3686206f3f985a8ac632fc613fe0

SHA512
21c8897eb984196476c8ef60d73c1531803e748f58c414fc95b22b1e50f1ae8f2bafa01253d921cd6c09b17ced1b2e609a853cbc8cec72ba1f0a8c7d4a4ab060

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
87fccb7a3f74b0494107758845f4c58f

SHA1
6a43b2d73b89b3f6219ab2a7f8fe9edc6ff86c3b

SHA256
230f6cd1e05a7eb17a009fd9de23a60cb3c47d852b1b795fb40a5bfc6c3a8d7b

SHA512
373dd827dd1e06b8c4277ee0a59bd4b5eb72b38c5b7052fb00fe00d3cce14d9f668decb5f19aec348f37675ec3c2b697f9f471bd9e080d41a39a33c371ca92d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
23cca40d89731c72973098635b2566cb

SHA1
8b47f2ca5ade9ed7f682eb13574bcb54d0de622d

SHA256
0be670169822a76dd4f372e507dfc9f131b46bf32a54f7324c99c3ff0c1056ae

SHA512
d03b02c917dee4936e26add54747ecbad2ed0972f430330894e9f9cf6357a1fedc814622b6aff01498546c9319ee6ba29a09198d933bd7d0167d34fcc1b0f6e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5eda378ebd478d18c327bc0134081e38

SHA1
a416b3179edb61ccc4482dfccec753fa45b12298

SHA256
4379a411029e79872a93769d29f62c8e36ce285d4be15ed15f4016a7c436d702

SHA512
a02d31c9cbb3d6feddaac58145c3a4eaec3ad1b2f8ee417da0afc861fd100b89352fb1e4c96c91dd183a3b01529bc6a668bc1741ddc920452abe9f4d74fd625d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
aff20ba3d089a7cc2894ce887d81ba49

SHA1
3c247f2b6c1db36782b4e88f32740fb8a2e8b798

SHA256
d31445870caa7627f9c8232e5a009da40517c728da7acd90ce9248b86237e9d0

SHA512
e4975427212fbbce1deca1a4f8cdaf6f459f3a01d3138e436dbfc76dd2c54c90e5d0a39b38f9f5bd3a5c0edc7f5d36da34ea83fca71ebed98055b651b2564234

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
880382bf609fac7360c0e6a22952c12e

SHA1
96b32fbc134e770ee73db5bb168ea4b72ee31bb7

SHA256
000640d0cd26156e60041602232d005adfa9a28ceee89b15967db5f396ea7cf0

SHA512
b6dc8003aa4d1452919bf0cf2e7592990b15af2ddb6e602ade7f2c9c06488be76bdfd9e1f442f047c9c6bad5f12de407dd3e006667d2f49d9448e8ff4548ecb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc9f902bf49d794dab5c97191af41356

SHA1
e09dd8cf8bbcef401b49a5adea9a54f6b255ecf0

SHA256
888093fa13f1e334aaaa2f8692bc13a80c081212884f6022d89eb01ab000ec66

SHA512
1b39a2b3ee187b3c4bebc817abfcb1e05e9530141e6cd63fd0c324934f339a6f112d761a0d2b3bbde220ee4e910eaca5d6ef590fd04e7a52943ec9680e7694f2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
48e4c017b26ba9b77a1322f190c26f47

SHA1
b4ef61b2a4201f04d6bd715ce6469266f33df6cc

SHA256
33b8bc6e7e27323bba65aab2824a673432526db6edd88977d614d2eab7e8c1d7

SHA512
509057c35932885297d76cffc5f847f359c86ebe6ed11224e662ee311f0a6bb1cb5b025e1f1d2177fb323959305762fad19e720175155c1518e619657d467810

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4bfc7137c834a877599fe6ff9bf39ee6

SHA1
41e186cfddb2923a24820dd321e63e83be0c109b

SHA256
5a1e0e6dc1c0b0e8e876f9a8d54864360c39e2b257854ee7a7ca1d33458cef59

SHA512
764bd30598701df45ece11915e352fca8ca32625be52a72a2418632f8f85d5c5d71f9ab2d95722e2b4e110a65fc3df6c059e7deeea54fc90e720f7a895cd0722

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
554f864b8a7fb93564bc5bf65757fbdf

SHA1
82c271d5083987875951353c131f6e56a0ff709a

SHA256
0b013cdaa28f2223765170b078a9b149cc114e40fcd161b529a3b4b1b129c09f

SHA512
7e2ba42875b52c2330d8c6676cf28d93e4ecdfe3f07b206248e2530d5037adac09fcc5f96652d5af2a4a25ad39825fdf93cfef5cb56d97b4d5ccb4e86aca8857

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b82e03ddb6974ea55db922157788f45d

SHA1
13146df869f9034c25d574680c4deb4b436c4845

SHA256
d1876ec32c24db392b91824a9da330ce0885ac6a0c1d625830f17c3a7626c60e

SHA512
554e817c0d4c7f9e27e0edebba2990b5db5343fb80a0b2ef127fa5479b68761ef3090f5450cb6465fc50e5a1995dc3935f6841bc9ab67c64d9c40194d9bb7dd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ddb3efb8021eafe07674bb29d73fd160

SHA1
d53888cd363a589f075f4d394a1ec69a4fc6ce0f

SHA256
9b905a77be9e5b104fb5f0278c0a94b919ba2d7ad99c136ef78ed289229ea138

SHA512
9c73892ffd4f11d033a287923cec7900a5e26245de99224a7971a867402d777fc6547e82845f10a190a9e9151bf6b8189c46f976b748877f0d615f8a006f6d7b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
36bffc3e77bf97de86973fcf0ad72103

SHA1
c1013176a4cfce8b1a8715e6f6f78223cbbb162a

SHA256
0229ac179f6d92d27a475f8b8a85962ad8a8de3f74be75f01f1d1b61e24d1a63

SHA512
e39469ed1dfd9827f37f1565ef4f9f7958a0ffd5967765ba504cbaf13c46bf51fd902550743c76ec90f1944187333515ac5213da631a5b993d11c493dd305578

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f3c522029a3ab001f3c1cfea774d68df

SHA1
506a057c602e0a4e8afb364762ebf10af429e6a5

SHA256
79cffb56a8dda4c339740a6ec6a6cad13f19fe7ebf8ec682df8c3b5b3b115fd1

SHA512
e114d53ad02d124b13a15d44daf0ecc26fb27452cfd7a76ef96b423c9db741cf6270dc6b702843232a5ed5cbe2225802b4f28845b5675f37b3e5aa8c993d0511

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8c73f859cfefb0124dae34aae383fb48

SHA1
34c3904ab66aaddc4c1c82a9d2b7734ba28bdea2

SHA256
28711d16b66a6e1bab51a89a70da25689d77e9eaaee70ba6656754740ea473de

SHA512
9fe1d238459662c977d9116bc131645bf37dee7d21363538985e2a278a5b9bc59d700deeaa0a61d7e7b8258b07a10efc51fc017569ea9634462d2f0549f0e1e1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
99b13eedeb98d31304c3901dcde9690e

SHA1
dc4a0edc88637ff9d8ce63fa376ecb6fd0141146

SHA256
7e01b130fd2d994167726ef552634fa1ca2f5388385d628ac96041e59c5b075e

SHA512
1e9c29fdb5a659e5be8cbd11e4db1b383ca5045d259fae447ae996c52897b9b8ff8c3f4fce15c00ba0aadb09e5e44588cb81529c70bf0a6512a1190a7047e7c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a3cc1e020c7bdf5a214d84eda2bdfea3

SHA1
b9451e99440523a46e5f63a6f1270b99d10dfb8f

SHA256
1a9f33777134034e9e15af26f4b4362c7a7a5b76c157d8fe105fa7a356476cee

SHA512
1de8401a3bc3205fd95131699df190e06f10b62cd7cd34e8415369ad873fd62ea89cd7c488c78486315c41c6a226f87001e93883e3104a4b624557a7f8c09f5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5ed3d46ff354171263e59804a410c1a4

SHA1
4243ab7a9b8dc27ca2d0b6a4b1bd7214e6b11afe

SHA256
98e6d6c2162cf2fc2f09eb615ac566f4198dbb35a5ac5cd713b7bf8e8261dc9c

SHA512
2037615102ac61a5e853d89fc9e70d8c987c424d8608cfecdb718c7b80f590c3621f4e01aa43c8e5f52e1c3d3be4b94408362f0efea643ade86bacb64816ddc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
286d1377f6b302f57dbdc865c75e2af6

SHA1
f2580ef0d59defc084a7fb6afd94d941ccde7ffd

SHA256
259ab612de1ec76fd553747b12026c8168be0486278d2715e92dad4fe9b308e5

SHA512
fbc26bea63adee3c4faf5656f8b9b97b0f1acb269c8243c8775de73f8ac198fd5a82ad67a8bdd4b19bf329ce61f2622e5db6caf5ac0d48c8ee0abc98bb2827d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4497c7fccce5cc5c708cf84f972532d0

SHA1
b4f04f9caa0b214cf4f62b1d38a0eb0e4af94256

SHA256
46932a52a4a208c42985c4ca949816a11440d93d36d419451978cb3b48fdc42e

SHA512
2a1b25125451a20444d889256ab1eab4c780f82c8ab1cf3621e1da4370c4c50c01d194f596799326099c41c33f139d6f0d8da09edafa698c0c61cb543e3c8725

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d0aa83ad20bceba7fe4c87a2e73ecb46

SHA1
9ef8944bba4d182096560b7ae7a515aed9fa82f8

SHA256
bb9dfac9e6c4b0afeab83f88c8be09f20c6c394f9501f01cc3371c4284b0c983

SHA512
7ed9c46c0ee6e3f597002e45f0b76c3d619354f538ec5855616ecc095b6513eb5337821f52de6768a92d957c48f70fd532c4e344f7062a6aa107c8a3b3ece8be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f839c2a4b8470acd71a6bc13bb1e6340

SHA1
b27db213904c9a5f494f446181df5d8b83d60f8b

SHA256
d8ea9a414a1bac43e97f94ab967134fc0d6d12fb98a63b2a4b2b00c0d97c0f0b

SHA512
f6552de5d8edba9fd2ab2af34fa8fc5866e2ee935e2ef42cc6fff62741c0494908fd134df83461ae9d020941df460d86db19d48d7d78301417606ed705ce4b4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c1b4f7462c9244657b68e8b155c28c71

SHA1
7bead2b445db5fce316793de63ae0f5e4699aac0

SHA256
33ec38f03a6af863e97e8765961812036ee015d3402a6800034cfd900d05386f

SHA512
d2418d048b97be797377a563e8189b9ae9c2b63851ad47ec982101cead443bb36834dcaad2b6fd9f33dd71bff97aa1653691d8953f8d704ceb8bd5a245684e6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
05f21f3512fe066e83efc7554e07c290

SHA1
07af5f3eed86fc239f0421ae420c08f7fa71ca67

SHA256
8ed0416e9feb6343cde735af59edf1df52a7efe7f8545c2d6583cca94a2281b2

SHA512
b4134889bc65fce82cf266c8507dd271405d38e8c30c44cc2db920d8fd001e26ef23720776337bed95974614e30141df29a3f2b8c40d5e9057f3da4cc2f5868b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
169c3162a2f62ff3958fcdb25f23d60d

SHA1
3614967ee3ed7c6d82efcddbbb11e695876a7ea6

SHA256
eef1de0872d09b01911850c3568241d7a7cc25fe9902c96d53d9448b3236635d

SHA512
d755ae3af11552f00e4debec1163ce2bc115752bdb8c83b1c256cc1d3f7a21fb45119058f47f15aeef2027c6153673c1370d506e386faa1bbc11ad944fa99706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
aeb997d506b9b81e64a3cb3553e14a39

SHA1
867b89c7287aab3f955d01a7cb9cb08df6ed447a

SHA256
6bfa828ab47b3e00eeec9f4d6538f67ef66f2f29e8f72e418f242dc6058e27c6

SHA512
6d2ca9ea7fdf783c292bc6ad23351d95bf739dcca92dbfcf060bfabdc5e9eeebed18ae01a2d92f1d5754460207abaf9ecde3c8c44304becd4ee42f6866aedb13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
caf1afed55f311b8cb74e68cd741c6f8

SHA1
7a8755e2da888c65914eccfddae2a7200cffb5ef

SHA256
e86505e5b608969b64365dcfb0e4fe5979d78bab4bf51cff19163975fde59544

SHA512
9bd679d4ee927bd33d80bce4e2af08a6eea75f2ee1d45d7e7acfd76587b7df3a7d5cf100c01b01b25c18d121c9da305bc9fc4a346704c002fbe84c368fd30afa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ace0c3f11ecf6e0ea20e7f33eb05c89e

SHA1
08dd03e50d6b25da1fb9ee853ede4346c57faf73

SHA256
32f366be50a5632ff7a286146d4859ae6aa572987c3197d1ff72c735a0ed946f

SHA512
02037fb1551f4d221acbdb47f19411f38eb4164248168f719bc30a45df5592ad2565b6b2d4bae137d411895d9f9f999bf0627c67c3a590642528d1888b704770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c0277443624de0295e0ca93f67fdeb27

SHA1
f0dd41a2835033f2a2dadf3a51e193e549a4c7a9

SHA256
12679aa11b6a147fa02e44fdca6dc2f9b4bd452e5312bde1a8adecbfa34d2401

SHA512
d5b1fccfca58f2cfcaf88020e7793d1da94e5cb30b49e268c1fa8fd94ca88f3e321fd296cd47dd3ccb0363a5a12fbaf7a77abea57b21188afed4c58fc659cf7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3146d91c0437706bd5122c193f72a5cc

SHA1
a02505ef625b805aa752e02fa0a1a162d24f0a1d

SHA256
b5fe33f3fc28c1946e8f656b41e6a9b4b1c9f2d954bf80df3b86fda862b5236f

SHA512
21a77db1bc793dc916cc88aca77e48056ad2f82d66c0c1bf21360b8b67245e05fe493a0067029aa9259e11080b3454983cd4019fd65187dd11b8ed92032f1163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ab26252d12583f22442ee1bf84286560

SHA1
2a704bdec9c2ce0ad0e0226c803bb52aae0f966a

SHA256
ebadb73136fcbb8e41074a60c6446081c15ba2fe0997cb6ee7ce694e8eaeb8fe

SHA512
184f81dc8dfaaf155354910251fde35ca04bf0453ce3c8299ecf5886b9578a84eb2a4f132c1f72c64b3a40b44160e84cc6b351aeb3fd42737be04dd5540c1c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a3db893963543b0d2c7fe02bf7d7a07b

SHA1
84109c55328fb823cabe73e701cf89b6f253f392

SHA256
e1144a11002b6467afb6835cc41a1eb2edacd018d244450f24bb8e4155194061

SHA512
60fbacda59cceee82038ed5c8332133415e33d20995b93812668017c9e6d784253c6d76a702150b9bc08d6436ad37e87cd4ce845846ce8eab17dfe9b166fa058

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
71070e638da12cb949f75bb2ba64db64

SHA1
e1aa08feb3aad720b300036f3749fb9a24530847

SHA256
634b9651705c51fe13d39fd0cb3c892f2362d7eb642a765880263243bdd405a9

SHA512
c03e0b7671721fd5fc79a74333ba94b2c5cd3cdf987e9c80cde0fa052eaf6d257349980488b9d47e85b0389538876c4ffb59f843aff43fa92405ee196848df87

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
29a828f8e2c33d6eaba0479ce9327615

SHA1
519011e2c72f6bc2fb182bddadd6356fd1c94670

SHA256
675b09f686b5c9c80806ab7940d269c51490350a7ca441fdb19ec98a403d6900

SHA512
883200676a454b09b7d87dfa18b337f0f713bfe2c09cac134a4f58bf746fcf1212fddbf1d0f16cde0a47f3c5a7246a946829dbb21993e6a1db5725d8976bd45f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
edbd3e606543cd9a8f782e2024062788

SHA1
f5a0e4e8fd52012ccf0ea7df48c40039856fde10

SHA256
0227db3a2e8915210594545b8612c96006cd64eb37b96bdfd484d7d337948dd4

SHA512
cd2ed2e7cef82f8167cad5fc3ecd4cf36ba0136a89796e471f311a3c4e2846785504b3e60060e5f523a290c32202be41fa7a8c7cb2961e02159e4d8eaa5f3c09

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4da124374e565356c199d9412ecaf2d9

SHA1
b5fa12fd9b7922d6c8cd8a40bd838c37d4a94ee5

SHA256
9b391069331670132b2962e406f63e6a8cc0bc04c9156ebe7a36d0f07900fbb4

SHA512
9a6bb5ace7bc92dca24a7677a48753c9cf8b9cf4267d56c415d0c860cfcef235103b6a39079acb14339c35ae416753e61e8ca01f9df3ba610a5279d473116646

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b4722f7f1f618ab9ef8a9bba1b7f3993

SHA1
23591ae6c67d8f67eecb64c56df600ff74fb68d9

SHA256
3895d62a2770acde8ff354b41a6adbe1ed0c010678398c6bfa0dad7f86491f65

SHA512
2f2be8ad0696cff786f4876d999d9e24cdcd7e0bc9926adc5f8d05dff265950ee2f77edac60b2b66cb06495311bd49e7de43278236916f1140c2c1af11c256fb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1dfd874e8fd48f159dd6ba55a8722443

SHA1
170e2c1f658929deb14a4307a323d176ff8ba4b1

SHA256
09f9ffbf1e93d058e339b502e821fb979f0ae26b67da739db4ed632a25dfe7c1

SHA512
79a8a81caf9d08ca9186bb7c1b8059e87c9fcf25452dc7d1f5e8325915998cc08cc87572863ac488fba86fce6dd91789464b7976d10947a08c6f6d3a6ccf8595

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
daede8cc2a94a2e72ed66d2c56a112d5

SHA1
21d76dc9a679b94b57821db6e840334240f78112

SHA256
6df507b7b777a5256c91d31082fc215f0653df9c32373db77ac260af9f0f1ac0

SHA512
dce0b437741be26a254b0629d7dd030543d31613fa5c2d0500ff5a158838a9abe786b6e10634f975084e241e489c9ada1df15b828a4d85d9c1add03cc0dabd99

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
09c32f261286c33f59a3c2d60747b20d

SHA1
674e6734009037b2edeeb843478e7f1cb1acd68b

SHA256
204e7b209a0f1eb1261bbe62c7109d68558dc4b596ecfa945dc031b3ee730dd0

SHA512
91a6d20f89d45473d382bf428d5a9f6b4648dd128c53c4c83d1a6785186d6da02f27cb80cece466261ea6f1ad96329cc157349e7d2b67e076710871793b41851

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f96243860156c910bc48eccbce610228

SHA1
049121502c2f2516f2aa2e332e775cbea37470d7

SHA256
a0c982815bda228bf0891c3019d64a45dfcd8b1dbc3fb570fc106260e70cfb85

SHA512
56d3395771b5360e5250ef5ef8b3c39ee110b74fa28a6d166ba7e03e77e4a328bb1f55120319b52d7daa18ac2ce2431265bb9928ca1ecf55f711369758fa1f5f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
868fd20639a0fd6572e72dd901cc78fd

SHA1
b8f1b4b283d10e1847b3be30dc26f90696373388

SHA256
e2503107473f5447be0f2f198a28cd9278f344dafcb07520aa2e0a3c37fc69bf

SHA512
c9a53d41a60e5afaf2f343c93fe62449e5b2042d09427ddb3682bf3baa461cd5f42bd9af7fc9052330441ab583b533d08b5efeb0c37f6cf7ede74e79d5079915

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
790f06b0c0052c5149c201df9c446348

SHA1
3183fb67a8606e80cefddbc2f38eed6dc458c36f

SHA256
546516d8f831f9532a446d3251cfa66657d896ab7bfa42bb643f79bc68289fb4

SHA512
d5f83ee2c85ccc7f91db0d8c2083892eec763e6869f967dd2c32ad821197a58307181568ffec19e6bdde206ef7719821f07fb2b8977eecaa4fe402810ba0933a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bdd4c1805690b15684e6d0c8a58aaad2

SHA1
3a4af0fbbe55e7a4a2a06b66e2f4919186a7c0bb

SHA256
691e070d9871e780c2d1b7ec5fa31880fb09a64d406f81cb32c64d6dd7c281e8

SHA512
89d924c5a60499a72bf2684c2a61220f2559dcfbc34d51a9520dfa175ece3829aa9eca1dfc37cf49216b0a38a26e4285a814c762fe3211ddcd9b9b9709e276fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1c01e13be61c7401cb830eaf6f0477bc

SHA1
894afc3172da681edd03b2e0a6aced772fdc3472

SHA256
2b91a0717933cd4780ad9d11b398847ac0b137cd16291d9c3c59f346aa2939a8

SHA512
995391b4f848707e34bab8b650613b5f2470cb1b340b8cdc7b33572faa91afe99d1a4d3acb749afcbc0b91cd210cebe3b4d135b9d4a2e1f3eaa272da840dc249

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
864af70a51e749b42ff067697afb7534

SHA1
a9f4cbe78be38843166a7681564f7af534a2b2ba

SHA256
f3d7a4ff663a75f7a1e6539cf578eda777da7e4d10409119c535f0a62cc52fd4

SHA512
edd06cb4967e7b2a78f5943d0bc213f4b9b7d49214aebd33bb5c6cc261e267b5242e98e282eea5a1c43aa2defa170c22ae4e0cc2e49fdc101bfe6a237a856252

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9b62167ba76a11d0cf5b874111ff9d85

SHA1
091eee6e58f527ff8bbc6597078c4fc79e483c86

SHA256
6da1119798ba572f34611ff04e30493217236b9dbcbe4a79bb2a64934b089070

SHA512
ead586c61f08df0c8c2c4dd8b2df9b72edc771f5ec204f5054381b403a8b7bf9a8d7094d07833b7b77f5fe001d8dc10e52c370a50e0c29cba9662b70861a390a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1528bc8833c8def3e42db0fe68d5c40e

SHA1
66b287d102c7197499a5feb9227adda4909d9b16

SHA256
d69241d1bdb7d592173bbe23ff6086d841c838e8486ec9bfadd2aabfc9a65f36

SHA512
7640159ed27cbb51df66fb2601268bc185207dc8d71b6a4088be0e8484a146473a67e1d571e97834430359f42b6a43a67a739502b18f197f501eb3b4aa240aa4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
61f158b4366087d171698a3b5b30b3bc

SHA1
9a0fe020ba73e76254a19a414c2916205df01e33

SHA256
134b04d5699b67669c95e4646b341f31e7e36be233e8f1f9a6dbd0d7c91b17fc

SHA512
bfd61f10e8f97d38d475a98cc4a287f02cb07453afc59f4fd7279d388e589d177c1e035e2c87cf547232a66d3623431a7797a1c92d724456ac96224d3a8c1ea1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8c43cb6bd81615c93b09966214edffc6

SHA1
991e2d6ce0da1c25bc6814288df49c0ea5a94a96

SHA256
916c55acf9afe3cd15aef6929a8ffa56dddfce16800135d4621d97298a031bda

SHA512
123e3806f7978c775980d3fc7c26c97c523d672bf60d036965a77d5ac909e13a1c8ba3b7bf38084f67b2b3e31d60cf03d3ca1fcc25da37e7b316bc080972885e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
add40070e6772adad745acf98fb3f5a6

SHA1
01d3d424c91b8ca85ac033fe5be4715be3d05fb3

SHA256
9ee94a888f347cc30e4fc4ba691e464cd98d5bdcaffc2ae9593781308d461e19

SHA512
0abe04662602cfc693d0c0ced30640f98f7e1aaffe89eb23aa3434b3d26becfe05e5df2cd313a35405e656b74e5c8d83d4a9930572fffba88d01daf14172b276

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b64316d1ddf03b66e907375490f951f

SHA1
8b902bf04a92f201c71b9dc67e16e8491a7d47b4

SHA256
1b43e0c7dfad42e603892d8f1503a94f9224519adcee94af3e0accc7583eb9a1

SHA512
036fe4d98370f362bd964c0225fdd30b4e10ebdef4f8a20dd6b249deec441ab10c9be15e87a782321663d57a25df5c770a669c79c2c09815538a422d6c3e95f1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e6ede43119368f5e17c2d78c296d82f9

SHA1
d1117d8d42c01e4aa21a5afe9680c9ea7e0a3baa

SHA256
562f351ae4c7dd9f52b3ac9738647ffb06da3d657b21e55064f59631f8d93f8c

SHA512
bf5adfebb5b34662fabcf16fee592a2145b3ff07a5913c08c736de42524a5e7f40062baa9f2673aa8add606192e8c9a9322b409699f47f1a4e4ab873b575acd7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
10247025b4fb6a8bd86a2cd4ec3368c1

SHA1
b8d378c8cabccf86f05d90d10bf0b7c5fb580f16

SHA256
9622a10e9c31778ab8a7d5979ebaeb348a55d36b63d82ed3e3ebbd6e6422f485

SHA512
a38cb09d6dfa57181f45bd396f8cb7d037552320f6d460cba8fc8995ec49fa0ad16fb9cd93772759395a2d54a6b77921bcd3fb646a6fda900b0049be51368dd6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1df7a7f4865cefef4a60c478dfa38313

SHA1
d8f3aa5258cb9536009837124a2e7480089752fc

SHA256
c99ed4619e067e8730667cef22bf1d6ff7981a893b5876e2a36d8d7986298d50

SHA512
9a456a25bbfa8abd9bb7b198b33abfa223689c574385c8b056164f89bb538033a6c5034df7ef5608fc41dcbbb075501399d4bce66fb8eaed28c88b5615de5993

Download Submit
memory/376-1-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/376-6-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/376-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/376-610-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/552-267-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/556-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/556-83-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/556-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/556-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1164-620-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1164-280-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1388-612-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1388-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1388-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1388-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2088-265-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2108-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-479-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-615-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2280-52-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2280-46-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2280-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2420-264-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2512-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2664-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2664-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2664-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2740-60-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2740-36-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2740-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2740-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2740-42-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2788-276-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2988-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3196-274-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3648-87-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3648-263-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4124-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4356-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4484-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4484-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-619-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4568-275-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4588-271-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5092-272-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download