125d223a8470490917c05344bb26eef3571c3cbf4ff648b008309468257bba63

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Size

1.8MB
MD5

c88b3aac29e5f4c67d7243514b8c7a8d
SHA1

1c02c8e9addf277cc31df2bd251be9611eed873b
SHA256

125d223a8470490917c05344bb26eef3571c3cbf4ff648b008309468257bba63
SHA512

7261ec4d3a406f49d0cde6c8eba01f192a7c14c18c9c83a9dfa74c62100ca1ff02b20e0edc2b188d27657b4d9f6ca5c0e1a6965381bd22717e246c3c6f6d9d15
SSDEEP

49152:nE19+ApwXk1QE1RzsEQPaxHNamgiTd8DsMcDKGfWbYCGE:493wXmoKCBiTLMiKGu8CP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5976	alg.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
2648	fxssvc.exe
3124	elevation_service.exe
5788	elevation_service.exe
5712	maintenanceservice.exe
488	msdtc.exe
5376	OSE.EXE
3632	PerceptionSimulationService.exe
3592	perfhost.exe
5032	locator.exe
5764	SensorDataService.exe
5420	snmptrap.exe
2324	spectrum.exe
5704	ssh-agent.exe
396	TieringEngineService.exe
700	AgentService.exe
448	vds.exe
3084	vssvc.exe
2236	wbengine.exe
6132	WmiApSrv.exe
5888	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41678c58293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a376f34bfc8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b65135bfc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e870436bfc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026fefa35bfc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009fe5434bfc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5c7dd33bfc8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b65135bfc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f78ee33bfc8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe
3168	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeAuditPrivilege	2648	fxssvc.exe
Token: SeRestorePrivilege	396	TieringEngineService.exe
Token: SeManageVolumePrivilege	396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	700	AgentService.exe
Token: SeBackupPrivilege	3084	vssvc.exe
Token: SeRestorePrivilege	3084	vssvc.exe
Token: SeAuditPrivilege	3084	vssvc.exe
Token: SeBackupPrivilege	2236	wbengine.exe
Token: SeRestorePrivilege	2236	wbengine.exe
Token: SeSecurityPrivilege	2236	wbengine.exe
Token: 33	5888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5888	SearchIndexer.exe
Token: SeDebugPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeDebugPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeDebugPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeDebugPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeDebugPrivilege	2156	2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Token: SeDebugPrivilege	3168	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5888 wrote to memory of 2264	5888	SearchIndexer.exe	109
PID 5888 wrote to memory of 2264	5888	SearchIndexer.exe	109
PID 5888 wrote to memory of 2440	5888	SearchIndexer.exe	110
PID 5888 wrote to memory of 2440	5888	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:488

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5764

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3248

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8f967904f04236e883152805f47e2993

SHA1
427f8eae39d8e3b1eb865ccbeba5cf5d6313deed

SHA256
2c1a4e1738592da64b0462fa3fc6ead1ee8c0c7f28999c784df5c6f3b53a259d

SHA512
edd069c603b8044f5728e740d1478830680538375a733d0b21f732837c4b27f44847391db18048f81c6adecd87387400ecbfda3f23e6d29f5ed6317bfb853eb8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7132ddc1d94196b4cfa50f7768b070be

SHA1
7d01a375ee9a9c8d25babbb07355e3553fcad582

SHA256
27177c63e0622a4664f1a911837542d697e72038887d5931c47d952f0373d479

SHA512
77db987371e3e449387e5fbdfa785126578fca4790b21818fe0a17694b974930b35e1a21505761905174b2c3f31b95f82482d3d272a751b417cec6821aeb91f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ad2e1085791c3c1c6d6491d2d003537b

SHA1
e3bc3bf140b2417bbfad519a9f36258feed410bb

SHA256
ffcdb7e31580efa623ed16fe26d8f0574015019eb46c0c865d2582f9c82c3618

SHA512
6c15cf24753dba15e9eb75a3694de363b9459cedfb5d42fec3eaaf86f8d5b568316da2aa22aee7ad3210b960144e152801619df70d4098642fe9aae8f4241c54

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b28dc3b9142e0c67bffc9ff04d47b5a4

SHA1
9a7fe4cb1f57643b43daf3bade3323881b30fc1d

SHA256
a08fee6f52fbb8e325424f7f1eb9300b4bd9f70622bb318919fa07efcd890609

SHA512
667cd8c813535d92d17c3eb2f0306e0e6f8852f6f8723eddb5a242aa18995e5952a2fca72cccf67f4366076163cfcd030c3b2c559037a25018154f4d2d8c45b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4edca3fdb869a294f1acbcedf0b3afda

SHA1
bd826d7c8198ced2bc6eb807d43d46a77a2dff08

SHA256
e670c7755363c23f179aa460ce6877bb0ce6b328d3eac5271f456c8bb5cbf9f6

SHA512
ee7b09acfdcb52ed81975074d75ff80599e7d3a00955954f405ee6f7e8deb9fbf983a71d644b7d491331e93f9d7c3a14a2b43b6a6dbcdf28bd792e8f30d7cfb2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
535e64b6299ea6f613e02a8d03e910e1

SHA1
04ad8dd2d0c2e0653ac1013c5d2d1bed444a59e9

SHA256
8058599508d6899ebb1f3a83d6fb6c45dd7401115f4be3022d3c9039c8cca763

SHA512
686044d6975ad959e7fabfcef3ca2f453858639b2a7c4560e38722f47454ab50a1463d15c9f365c1a0da7861d75ab11c58014c1ce23434c279c8ac531a57fc3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fc516518d56cf24b153e9060e9e6fa2d

SHA1
0c1e912e7edc781008ff7081e8ec336997fdd33b

SHA256
e2c0e3fa3786a7652fd23cfed1ca27e46d3f35a72b55a2c487f954fac5298a11

SHA512
234fe6de8d315515fc1b5d40247b51e72b96dc2d064f17047c4a2b49ee51ae3c31eecb0ba808ed258cf202def0de0c95fd62343cbc7733f027d26dd3be530449

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ee59b8535bf275df872c678ec3bda85

SHA1
d3c9e5b069ec9a6d4d6ea0072715faa368a26e00

SHA256
3ee249c60abfc422ae30c882d93e9ca1b8c939381625bcb7fb147813f25aa1fd

SHA512
f0141604af353d643b108827d16d73dcf2c823b05be91f6b8b5710573a9d173efdb20a62938ec517ff88b0a44998cc981f1ac93696304e1d1beb6485d968282e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6d62c220b65bb4a95c4e6a50ce944284

SHA1
19e1f6110a35416ad26ddc6e03ccf8e5c489db44

SHA256
b1a6cad21d508b688e28a4003ebebd689ef6f6e02b3f83e588f7cce78a159e51

SHA512
8da21e43cfee3e65fb690a6a74b73ee0c4e417e15b74732b852c709df6e71a2f5d2fb8b72ab78ebd9ad88b7ce4eac68444218f546dbe8e6d5ef5a254e5792bb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
552404bf13a00f6a9ad977a19feb7937

SHA1
4b0a9bf58e1a550c3d3795827bd09251860a2eb4

SHA256
4ce4419323a8576a303e6c359be2500064abe691629adce78f0cdd07566aca7d

SHA512
1883d4f0270f600430572553a4df62f5fc49bc422617f17f2bc51968ceceef31e8666223bd03ada3f99a868b36ef7bc4507e69af08b99db536fe0d86732abe17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0f0d97b75887e392c5743469563bd8b7

SHA1
57fa2057e764fa0a392238e6c9e8d0f87aa5d369

SHA256
f702e7bdcb0169318e20adf6de5744844cad248a675f46b37618fd6d40fd51c8

SHA512
2c64e60e10064d4d6ea26326e5f1a5e304ac01bfcd624a42aac06017589f210f5c9231080cb05576a6ccda66480431161451ff3e1e3dbc33286340c679421d36

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
152aa78acf2e9d0f7c9d3b69071d18ad

SHA1
066368e463cc17d38ffca77880678ad41d5edee6

SHA256
fc476b42d0a5c4a4bc33367bb733008b84d65145fa4724337003875cb0288424

SHA512
df3a962700e64edecf873a76cac818c7949712e1293a1e54a546ea42b8e5200a7f8fe7aa9cf8b35793abc8017377927fe606995e13407f7c2eb3764a78ba0aa7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1a15ed05caecaa0ee8e9db3756870a3c

SHA1
5ad372b86f34769ee113bbd3c94622b09f61cebc

SHA256
300ed3c3157e87375a2962dcee8bf9d33e2c8fa849ebb6bea5278e09bc1c6de7

SHA512
39fcc7bfab5378bd456e19f96b442646af2ccc5fc1582a1ea8e7d5887645eb9e0ead9560c76834dc36f7979de1630421956f9528f60df416034c420e46a62fc3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
99e3e60561399e5491b26093c1db3812

SHA1
b9702ab0b1ad550de2e653eac7fb7be8a95795c8

SHA256
ac8d7fbf516c69f8c61ebd94c07e5e21459d36741b26a3155b94d7289825d5a2

SHA512
0a4a17e31fc8221232b280ff2cecbaa699cbd221824d180754911462cde7b207443e6d9a543cadd6d9d81f5ce5654e81e21364cd445c9101e4929e3e707e87fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dee4e44751810b31cdd00f933b6c328c

SHA1
633daf29d1cad32e8edceb901a15838e8d0c28bb

SHA256
63458a151e5bed92f1ac289e88a366adf5c9e4924a39556f9b1987dc60629130

SHA512
c6ea881624cef3be6754c280610f1176af0dd579f2cc35101b7e8d624769000cce959745a8cd5d272c6e6f0f2efc4a4353dfd3daafe8b05ae4f10d52f084045a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
222c8feba6c92b5741a64464f9a62487

SHA1
e58aec2b3d6b87afc5705e90b90c885055c9c9d9

SHA256
492cc0eb58cdd4444b32943863541b77d70268997e07dd9c3083eb820cbf2a66

SHA512
f138f0c51cd8926048bfa8597b96ba7fa6edd4d516aaaa4872c5545d877672439260897a5f5eae29bae5eff438054ab7dc258930139226063775571b86e6ffdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
76bebe5b6f7386d15458836563d8e908

SHA1
d3523c0d25c201b3c1d92a22fc237dbe955ae3a4

SHA256
d92d21410283bfef721f0cffe7a6603c67d934e96c9bfba44d7fd5d7cb281d4f

SHA512
8cfc59e34ddc7445f43308ffedf37018f35f20c35ac92fe679232692f5a11b238a5487146d054e6ed570f0d1b50bfb36695af055a21ec77b509cfb939dc99ce8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
195418bc6e553a61f66a2071c59705fc

SHA1
d566043370b128f321f8e02a26fb78e10960eee6

SHA256
d435b95fe2040483b789b20536dd418e929a9091582209baa5e027402a4ef1c0

SHA512
087268227bafb4067e3de9b036dfe60ea257fb06e236480bd5717ac70adf72470401b40edfecc3ef3452e652838d316d3ec579fe83a7b3681b716d15b947931b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7956ec24b86a43630a676907af76a627

SHA1
936deddf2bdcbd09174e71c1640009703b949e8b

SHA256
7a3a031173175498ba4ec153b119fa1e94f190ea19b85757b1a1ed79e8bc1353

SHA512
12f389895c3b93e665de027aaa95f0d0ed2973beac99362bf07004a927904b6bae6afa36f6658c0ec75682bdaf0a69be160ae175ba479fc7c82a510c9aae0e60

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6ffec0df05b9a3f16ad5e649e26c39e0

SHA1
c37fa40a10187044a03332b56eda37f485e6ed19

SHA256
2c927eeb15f41cb0c7e87b4189950f4a9a37b03fc6c1e401e83139a02963ea7a

SHA512
0d6d7ce9eb041c7c5ba2f9dd88c0628ab337b2108a184613d12b509827b18139c59bd3a4bbf844825037d4da56f79ac391b391073b97ecc8637e433e0b579c74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
84abcda13d1c3216523e2deaca328900

SHA1
3944248c4e66a39a49dd38845efbae2743fa8335

SHA256
a20cba75bab16d1280ab3ceddf9f8dbe0ccc8acfd267d7bf03e4a4ce6a5029a4

SHA512
25d49eb7157bef5970eddc68ad3f89944809ed2eb362e847e17f8ab409f4a385501a3d3aa5a513bda7468c65afddf8f1360581ee5b848bd40c9b7f1ac8034231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c32e4afcbeec242bf4126a2786b6e675

SHA1
b35b6e4b41403cbadf71bdd15f9605cb163fc577

SHA256
95fe9efcf1aa6c03ae98d68bbae9b27da05e3e4679f8afbf1fc26c1ffa07ce56

SHA512
f8037783a50f086a6e760414a8e6f9a04928955544287c511ad5f8097fe7d6d803b5c46361913af96db0d3b91ad31412ba559eeb316bb7722115471fc594e63a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ab635a183e2ca48cef66ad1b46c834a0

SHA1
5d093b47485cf214baa18014141fff9d2b2cc1f1

SHA256
204d7a4b3effbe3e5110647bac79e88ebbb03c43004bc8c70ac02948dcb7593d

SHA512
ffa68b6d659f5e468129186ae95411a04ae280adbd1c14ff04e58c12752015fbdfaf86d06ec8dd26f4709366e410d867a754cef9fd656d79986e18778f47034a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
294bd51c97a76112edef65e5c2c471ab

SHA1
93797f752d92597231a049d0b6387bf47f31e74d

SHA256
9fd18909a1c6b49479cafd33889955698a76562cb88a44b1ea80b6c479dcc4fc

SHA512
a7479291ca25e519cb50e6948c924fb3ae7fedefa789df48640eff300ad6e84df3a9d78bc293e2b77bcf6c427b3db06b8e26a084aa949564f4bdab258c680cbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
78c2a86889035120e15402a52929acb8

SHA1
92960872b52390d0d1e24db6192ebc04b07efb93

SHA256
8c5fed366929c9b3f053084d437d0c3a9615e281da1029fe39c3acf5e46130b1

SHA512
685b1f55f64bbd114cf5bedb7326223077068fcc9e51bc12afff7647875bda4f0a685fdad60e568ff3dfb53aaa9e02956ead5dc926407ae996cad4d769fbb5fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
63da7862044bda0c560ee931791687e5

SHA1
6ece3349848ee93b22745418fa8a3e97c4f182d6

SHA256
da7d3f52aca624615e9b115801fa7d18d04892b7e21a1da010ea5157526ab985

SHA512
63ff8507dd96e2a08ae0db603af14c2f047edba9754aa271e58774f632f691bc60414f27a5421ffe99666a970e6bb753601d1e17e88408fd98f983faf6f77d28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f84ccd945180631fddf75b8f58b61130

SHA1
744a7286a29e1ee1346d44e3afde8039a180d308

SHA256
8ae31911002b6ed8bfe2c7e28ec4ea5dccdbb2f92699264bdd36569b5937a909

SHA512
72dbae7f56cadafd813e11ad0367c2e5490443a8bfb89ab00f42f453a79a9469e7147c9c8b6d8b98964ad068a011ad8bd405b13b1552333ac0086b9b056e490d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6f4a150f8315b0a2ebdab84b216f06e3

SHA1
5625351ef694241652892b9837d8683c25394d18

SHA256
c630e80b5020c16ab3cc71562aa992a1a12286583954aa78fe57773fbfb5edf3

SHA512
9a54652c702e3dffefde9678327f098bd4b244b352929017e2c2c6607f5f9d370d9e96fdf1e32f06eb38a14d2d45d88715f5f08e65fc81f90c75b7b59958b0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c30b42da847808ec51246ec58a34a32a

SHA1
0a7a123df9c415d792cbcabd749ef965ecac8a4c

SHA256
bc62bcc66eca1d7edf510a4adb71f164faad351d3e7707146dd2730b11b5daa4

SHA512
e340bfda660e9a13a8d905eafc8d86303607b67919f8579c6c02adcb779452cf54e8be1b31fd82ff9c89bd5e94d3426e581f4aa681ac1714a99ef68c68cb810f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3b7224049dbcf5b2d8f79737c031e13d

SHA1
1bed3eb6abf5f35683168f49ad2f7f122a0105bd

SHA256
df3c2ca9cbd35e8680e9bc91f33262d89a4d302d97971a3ee5b0090ad7874396

SHA512
6c36c56d5b4ef3184dd8c32b42d6f6bf293cf844cf87022d24897d3d25cdf6e0188cada02ad17a7a63e7469ffa7f5882648eb17084a82b56cef55ec6434b17c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
415390b6546e930783f444098eef1981

SHA1
c7bcb6d993c6688616ea1fe75075f00318974ef7

SHA256
ca2326e09fb4f478a5ac5f6339ecef1efefa67a1fb09f98327a7f375ea48fc59

SHA512
ab2f18527e6e50038089dbdb9b055cda3131b073f527ff7c2656f5c40d19cf09e84c909cbe5cf9f66fbc37361f402560b2cb57a5002fe86253af604c1b7c2761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cc926dd07b10b9d115100a785b88d841

SHA1
dedb4ad931142bad8e624e737e57c90f8e3708ff

SHA256
f97a71e03ceebfd92d5a4807126359d797084f10686d4a471ab25bd3632af839

SHA512
5cdb4fe479e0fa75f6ef543dd9010c44575b38072668b58eae715d1e90b664e93f577e509dbd2f6578564bc7d1289185d7dc3ff4ef702ad06793c88e508bad29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
609aee358faa39f1f12f064369c89103

SHA1
4032ef7b30e4d523b62200633f73547b66072ffe

SHA256
fefa39b6a1f657d2d00c80630799ed6c35e1b08a8e6395e6f004973db85b61f8

SHA512
180356cf702f8bb2eba3719e4bd2454156496b31a3a8769ad72085634f4fc48ba548c102184816c877d8ee32f3de7b4242016219af3a5bcf0cd80f6f2fd12f9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bbed3d7071ef0e89e76864f132713a77

SHA1
e69ded338ebe2b1ec306e1b25013fcfbf1d60eca

SHA256
59d8fa42b6683b40c4be78469df0ca0c8b54abbc7e017d14cc2d4602ad607521

SHA512
406aa423601912798b9e442253da0ee209890686b8b00544052ea500a09353b03d8c3d89ce31e911f307bc8e0929563d10983978d3f6eb560e242ca1c2e59ae6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
55d94c335291065ec4377cd292add649

SHA1
8ff1b5b0841c69641689dff318bb099533033f1b

SHA256
a8a49543151e64b5952c6ed7e0a0cd7a3a2e765c60dcc7fe23fac6d2236495b2

SHA512
a89be218af2a5f670a25dbc23dbc262b933ef400d82e305cb50b34dabbe3c4e702d4c2d6e969fc16bc8ef031dbb73bb391c50cfc7e0be66f43f50e4827385ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b4b422cea66f1822809266aec81be1e1

SHA1
777a4b27d4cfaf32f1adef0d5721016012b286c3

SHA256
b0bec31f47cb919c0cc5da9675b2530a634514291815e409542a34634e3727c4

SHA512
8002af3aca8753d8aa8f864f2c98594e3e3e7c14978f46d9031531fc7b3bbf9e727df9b7d1587930abe2030500d7a8ca2af7c238d8ea1ac8a454a35b851c87fe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
db762ba425a53fa7570aff828a1ff01b

SHA1
aa2cf16c101656db70a57669488674544b675917

SHA256
21aea6be1c18f8ee0f6faf426f5b00884fd83a33afd62fbc8d25ccb741504f9f

SHA512
a9132ec3f637a84a3778ee783bc248af9091954b40a7eaabe7bd9c8c4178f4c35960ce47084b9d9fd2936d8d286a1cac9cbf1edf98620d6aadff644fddea6471

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c6f14254f358fc0d5bc0917ce4122494

SHA1
bee89b553b57c453777b74c8e2bc50b51e1b44db

SHA256
cfd4d0d82ad2218e9ac553cca35e97e70c1c1cba2ee335347491265d559a0f0b

SHA512
abc3c8e64b797cd98812929483ddac69fe86e4f0fd01c7af8ea510f43eeb111067024260e01554766ee96d809c51a02147ac7cc65ec5d588cd141c436d558c9a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d105bb909b201a67b293bc765e6e4b62

SHA1
12ca8fd5f556e39ff98c5a37c471ab1b4e90785f

SHA256
476167b12f5e14e2589f315a6af121ded8d8a632bba1bd8452dfe412763dc525

SHA512
e36af7e3da9b345e49747532c102cf0fdcdb2229f09e8560eb2f2e325acf2cd442cbea51f9376c122707e0bed7bf319bb81718a3b0cc995c10532d71133fa9c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a7bc72ce8777a055e040e01cfbbd6757

SHA1
62221a065a7d6cb75c0be1e5461e0d4d8e8329f9

SHA256
a4d2a8d161b5267abe84b86fd43915e6030ecbba908ddacebe332d1f5c933f1a

SHA512
7e3aa27303458c5fc5d3d436211b6dd61ad5ec41947a9cc10ebd6204281f5334422bfb081ed80785a4859db05d5ba6cd2c0af1119edb692c0860fe2f2896ec84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fc6f880d31192d9e3c607ea1975f3797

SHA1
20a5508ad8945194804e94a02733c113f34c6cf6

SHA256
d1b1cb40cde5c6897802e3690d751df8bde4233a4bb592b3fabfa6aa7e8182f0

SHA512
3376191c9340de1537c5bfd48dff40d5b666ab3335cb581d9fc208baa40981b4cb7d9178d24910f7d7b0d7030c776154ab23f8a2fed7669596a92e674aa0de57

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
02ea7d2af8f99dc25da67131045c2366

SHA1
1b8d1ea18b15a1e9c1c851a2b4afe8209e66a072

SHA256
ae123b66fd57fd32676014cdfccba063b31f8edba1c72c275db2857223397def

SHA512
d88da2d10f71295b9853cc6042c2e5e232745075a31a7bc51139b36e32c4399e1803e744a948ee94204a81c71654669116e731a45cfc49e029843e116183946a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d2364061dcef5c71bf8d5b50ef2ef34d

SHA1
10e5f57347eb3e8e7778ea22bb6bb652d19679fe

SHA256
0f339cc1dc5558389068c18d4981f8d97910830a203deb5c43b3205b6ade2bf7

SHA512
4d2b559488e454336f5fde69dc3957830a5c1c1288e4c665a339c43667ee566267c306976f23d3bd3b9ac2cd6dded1964723c373e2e0c4423426462034f3123c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b19f7596781eb5cffc98b96f057ffec1

SHA1
1be0185d4ae8b9ac1eac24ef3d636137b986cc79

SHA256
ca4356d5e6930d2f75777febaf950cbe39b9a4469445d1c3f077f7731d402eda

SHA512
b043d2e1e1fadedbe627397a86ebcd9391f625b13fea24c050dbc0351e53abf8da30e7842181ad2161640f39c7509d5d25e490c26ea720e6b55aea5d7ab31f6b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
13c9c718e2d2f14a9b912c4976e41d47

SHA1
f25f84eb4d4bac63934735d79e1ae56dd6e89c4e

SHA256
c473f4eb89588de8b00f2c891d0738c3157b86b3569d8e3051a8db142ffe5779

SHA512
585ef8b03f12abe13930d640f29628eb7d97fe4ee5b6ad1bfd8a4b33493898a957f2bdbfc295684e6c8966d44ed638569c87ad30c4359052802440de4766d9b9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7ca37ac9bbeac3b8e6a3272210116133

SHA1
ad4036bdadb61d36d06af59ec91d2903d43348dc

SHA256
8a827da2d48be31402118477bd9822a0c1831b5bf1c8cb446a68e240a5b88c31

SHA512
b3e7edf1a0201db50e5a5ef687c79729801cf6bd36853f49a89d48ede032a9e96b86015618bc287613798890e3b58eeb8b9eb3b76bf8dc1a2a74c9bf229d57d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01dd7535ef2fba46d91a0ee576b9e574

SHA1
0a9190fadb6cf15f17c0cb18fe4181ee09024f9a

SHA256
193e8dd6c0ad9f1c8534bde24c6d8e238e814815972f90be3b69b77df50ddbc4

SHA512
051afc4f2d63494ab62843ab5c4a0251b7955e19809af95a28e3930eddd5d2b24a1ede78543502196e1c1a61d893268d5ee198825cdcb7cd086ca487710b84bc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a2b8e5367264b2af896b75e79376785b

SHA1
a120722a8f8b6cb140892ff098f5e0d922d8eaa7

SHA256
627e9d70e119a2dd9a05d2f0729c77210bc223b9d213eeed7b7d95ffe59fc4ef

SHA512
e0fa1bd1117f1a8645f71ef07793add8616df55859ef6ab3ef220c00523cdd2e5dd130f2b9c959ea75ada267b4d9d093409623f685e6a11e8745dbadc14dfc43

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2f7dddd44818f64778ece3b028eb4ceb

SHA1
4b9fd2f273fb5ee0fe06ae68525865024999e3be

SHA256
e3252f532891ba7d6bc4deaf458a58e7eeb14ed4fd9c3b6d6133d54ab64c9503

SHA512
72640d14ff0c284157317a821da92a8468e30fc58db7f5fed174e0ab509f7ac8068afc98e177ac82ba1c3f3d6c2988e578143916459bbdcd75435d59b9aa8aaa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
85490faede964e2cf46603f2c4e1ac40

SHA1
97724fd5abf433282423bc77d31de014b6ca39ff

SHA256
e97cfeeeb0726e4179a7819bcecebc95905855d5924d63c82b3d6cf6904ab15f

SHA512
3d16c7ebe5a6d667506e1df7ec1b63f7d3b24063a5187cfc64bb4473cfd03f3065a7b76ad3652d23fdd0c97b8a9c6b07e3f12e78a1340223c6b7908491f415fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c81dcdd873495c9855a726987bc3dd92

SHA1
dabbde11402de136c4f6ba178639db99f7f37a83

SHA256
60486d4d74053796cdf0659285b4d1bbe764921cafd8e2067ee14fae32d542ca

SHA512
64ddff37447ee5598831a6574ca5aa548a73dcc20c6fc3ba94dcffc23d578c41f2ce706a2a2d5da3475821e650c8e6179f5fc3dc52dddca3441f2ae734fe3d8c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
130430b07e79507cb60c5df23338df2b

SHA1
76b1584987e5e1a1c2fe2b4a391f1b05973bc1fb

SHA256
e5efbcf6db14c0fd8a8deea4df4827e04692a79487e974402faec2cb2a99e7e6

SHA512
aaf30eaa0d320ae57c6fae843fa4e34a039a242c7979235adf0d720b50e00e6638aec3d788aae7958b34114d5f92d49823c95f4e93ce2036a51fc675886a2444

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9f763392a5136b28990fd6362e52eda4

SHA1
2e71836c8ed889c7823fc786bc9f7be4d4c4610e

SHA256
b2397a02cb2954d151f60786255ebba8f76a64593faf78e9671dfda5d898ef6c

SHA512
7589ce5aaed64a14f8a5add81b98f6505d31f8dfd7df393e8d6f755478ae534e3484134277b0b93706f5f6cddf959d42621a5948dc856b2ffbba9ec10376151d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7667f74342434a92b39b148027cad3da

SHA1
78ec2e6660920c21799c8137615c9b9d6a5222cc

SHA256
7f9918022e8b32015ddbb29b90ef55f83aa464bedb46b4e282924d0ab7c0276a

SHA512
4d3ef68c836a107ecc6bdc8fb8187a55f06d34b47d5ffa2a8cb1d9bab67e796cb512ebeb7fc9edc0f02c92011b5e06d9b48cdc5d99f430b8eb5a121857e5054f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
595731d9cf819213e00f8a8df8879bb4

SHA1
02dd3db697754c4d5183f5975cb3daa0b045eb5c

SHA256
bbcd87cfc060cd0e3bcb2b794646d143517fcc3eb2d1ca5eecb60e62ee73b1d9

SHA512
f85a31bac605635828733d4c50c4515cf4a62a68133aff2176d6b049cd22587777cebaa7b97d941a53c614dc22d11972e1c68abaef952c61059fe18e325c93f8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e304a4a876c4f5d23f23dd7584f3de69

SHA1
8dfc65b19e2eb48ecc0c47f254c6be7a2aa26328

SHA256
9fc2ebcdc569393c96eb8da4543da02786c263e69c3ee4d79b72479ce3538522

SHA512
4dacb72f087983bb67b36901b56878f185782384b1bba54a4be43165b2c58e1b90bf82619994dc13b629d8fb02914549a940a8100624ee09298e5bf2df9630d7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
308a9b8e02f9bcae2374ec1f39bf5237

SHA1
ce706dd21aeeee753821c642095ec51793f2de75

SHA256
7a6f503eeb1c61490d5d7c2b9716a832d0f6b5101c0f7787d5047b77b6787373

SHA512
f0dedb60ee4197c5aca5e69af25b00d1ba3ce60eb2e5dd2341945226ac0b827435fc9d25e0caf3b773edff29074d53a390913b7802556cf65b46370e976fb125

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
26105a062b88a06e3ce63ccece8ddd10

SHA1
deaff22dc76646400d5e00a80232537368304fa4

SHA256
2e15927d0215df25264d058be3df487342650c73334b8d5764745319c3144f31

SHA512
cf1f81ca9428b9c4f1031ad2dd37abee4ecec1fd89e44d1d5663cacc9f320a33f2ec12f83d617e286960964570e88cfda74a893cae5000cbb0c7d7a3f0dd8f33

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
dc02a2eed47fede353a154e501b12890

SHA1
f606b827384970978620accc221cd77b7d449024

SHA256
edf62d5fa62985c0f410cefa708a6fad5f419d37546c5cdd3df22fcf2e2ede72

SHA512
101b4526605757901343ba0813fd25db6491972be3c9348fa584b3f9739ac8fe07c52e9f0adec85b8c8718b095d1e3bdc7acea54cdae6c2c5223fa91072beaf2

Download Submit
memory/396-515-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/396-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/448-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/448-516-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/488-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/488-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/700-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/700-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2156-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2156-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2156-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2156-8-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2236-520-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2236-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2324-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2324-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2648-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2648-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3084-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3084-517-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3124-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3124-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3124-39-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3124-33-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3168-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3168-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3168-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3592-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3592-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3592-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3592-107-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3632-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3632-94-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3632-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3632-88-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5032-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5032-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5376-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5376-83-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5376-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5376-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5420-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5420-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5704-514-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5704-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5712-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5712-66-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5712-56-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5712-62-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5712-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5764-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5764-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5764-497-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5788-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5788-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5788-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5788-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5888-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5888-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5976-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5976-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/6132-521-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/6132-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download