0ee8a84e8677cb8ab95a982bccc3a4bdcc05d8fa9133769ad0c621e43f75702d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 19:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Size

1.8MB
MD5

0c976f224d2610ba8735b488b8e2dd55
SHA1

d869b42f3a64e9729e7cd8a0698019a769d53b83
SHA256

0ee8a84e8677cb8ab95a982bccc3a4bdcc05d8fa9133769ad0c621e43f75702d
SHA512

fc32b0d89d14d2b1dbb0df6c01ebf9f8058172fed5caea134fd8ae2c1122f15b2befa5beeeed442a7159669b7d769c2bb4ab9fcd8f2b5ed08d87ace6a014dbcb
SSDEEP

49152:yE19+ApwXk1QE1RzsEQPaxHNYs7YSLTQYWkK2/:X93wXmoKbJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1520	alg.exe
4068	DiagnosticsHub.StandardCollector.Service.exe
3416	fxssvc.exe
3800	elevation_service.exe
4092	elevation_service.exe
3796	maintenanceservice.exe
5056	msdtc.exe
3208	OSE.EXE
680	PerceptionSimulationService.exe
2960	perfhost.exe
3328	locator.exe
5100	SensorDataService.exe
940	snmptrap.exe
4952	spectrum.exe
1920	ssh-agent.exe
4416	TieringEngineService.exe
3364	AgentService.exe
3664	vds.exe
2740	vssvc.exe
1172	wbengine.exe
640	WmiApSrv.exe
448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee14fbf8b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e63e2b568b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ec63eb468b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e98862b468b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f089fb368b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eee848b668b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeAuditPrivilege	3416	fxssvc.exe
Token: SeRestorePrivilege	4416	TieringEngineService.exe
Token: SeManageVolumePrivilege	4416	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3364	AgentService.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeBackupPrivilege	1172	wbengine.exe
Token: SeRestorePrivilege	1172	wbengine.exe
Token: SeSecurityPrivilege	1172	wbengine.exe
Token: 33	448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeDebugPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeDebugPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeDebugPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeDebugPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeDebugPrivilege	1140	2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
Token: SeDebugPrivilege	1520	alg.exe
Token: SeDebugPrivilege	1520	alg.exe
Token: SeDebugPrivilege	1520	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3240	448	SearchIndexer.exe	109
PID 448 wrote to memory of 3240	448	SearchIndexer.exe	109
PID 448 wrote to memory of 3252	448	SearchIndexer.exe	110
PID 448 wrote to memory of 3252	448	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_0c976f224d2610ba8735b488b8e2dd55_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5056

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4952

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2248

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3240
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8824cef51836bb4d1b91bacc522d0941

SHA1
5c9d4b7a16a2486e61a9d489394a1c800ffc3374

SHA256
7b5e70b82cf441d2f50491f10a9a5b296df2951f94b295ed9cfc633a5f9ef953

SHA512
0037c588ab11054545e5b3240295208ee2510407b5f22042e61ca529c3b33c6a35452bb42c3dd499e2a0d6291429a73f22ca1320069f4db6db2877b6b8b9effd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
228a355db03ec700fa02487f710d3024

SHA1
a535fa66cb1ef043b7e7a55a1fd30b53d6a2ee9b

SHA256
1ef5c8d3e78505b27e1a26246b3b354d5bca06bdafbf371924c6ec21e64fce24

SHA512
613fe9023f737e4cd5e6d669a4b294a2875ce97c9d413680d1680e1eec3c162ab8311272d4db73ab38ba200f21c883a083e2a7ed371e382353e11efa2bc1c540

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ec33d9c02a1bf00f2d12e8505776d8d3

SHA1
2c32941c03224c451c70eb95fbfb248bb26655c2

SHA256
c270718eb34241cad761852475aba1854802fc2e1f239252efabd483c5e04bfb

SHA512
f2584df4d341abcde3c29098700c1621adb041447440df99c509385dcc95b53819947624aa009b2bf7e7bef2d10b74f8f93f269e2dbcc0f9dc6c602b5dcf12da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b722fbc6eb21997ddd359e5eae8edb18

SHA1
ca19081f5455ec211ff17e06c8a7661a890fa560

SHA256
d63cb33f4f4eddc07712158008f5592796fbc2d8c55ef18537daee767fb5b3fd

SHA512
22ec3f852200467db9fee5e372ba57795e832450701caefb993e653425f70efeed621319ca5497d8ef810dcd225c9e1c4129836db01cef2cfe3bf077604f416f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b5b555a7fc17af6d3679ca18c216a4e

SHA1
ccd539f41a595943a5ec58e200ff480a5aceb06b

SHA256
06bfb53565857c62d7a88357d364583c99826dc8a61b6177058c47be672547df

SHA512
eecbc8282a3d4d9b8d99655f2abed7f7a98072894bd52a4aa5bfa759796b5de07803db27025841010b97c88019c3e4de9d9a7e20b99f2c844bd23243ee7e5911

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b1f0344c91a08910b6979a2223e666a2

SHA1
77749666c46690b8a1ea8eb3045d41e302062969

SHA256
5fb6bc3e8afbdc0ac4298391d71472fe74573d0789bca6b7f08dfbc56c352eac

SHA512
d6051e12f7f20407465fac121a2658e4534e9ad3b7895f8323dcc6f45bc5604f812dce352c332bc45997aaf78a750166120fc6a5b5b817bf7d5bf0c133143726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
43baecbf143cdc5e31db215a8039dab4

SHA1
1afc59c17dac9db4bca4154e13dd37086c1ee692

SHA256
a5dfc4edb8d138bac438582d169ed7847a4f643f76c94066d9bccc9259a0ec6b

SHA512
e258b1a5c042f60e5c6b31eba74d393347e5878eb4cfaef3fcb8e5cefbafc438af0f6296b8fefdc5c160e23455835190386ec7c4db7c23e399dc753e9370d688

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1cb959587b54ceddb0c8f04f9f71a536

SHA1
d771e64e83c11d3bc7f83a00eae0356a4dc916ab

SHA256
a055b4448528829b2052ac11ef97fc4a8da4341dd02e767f6fdb4d47d08fb039

SHA512
891f293b8b65e026bdc2bb0ca185affae37ca95c42c4be96763dcbee515a3550fb0bef81723a266c9534c2c5c085af8c0426c7eb6efee35ac9e267e7b9554dd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
0832aeb7bdceb63c1c0735b52332dc6a

SHA1
e45194cfa9294edc6e78240a48360836a4f76c6f

SHA256
0979d680f312e69f2b32a932006d8556b1b399b08ea40c77cfcce0529987d0e6

SHA512
f59ed1cfaddab3ddb3aee8a44b1ea939a91c4e0572b957abae464f749973f55fcd7764246b2cae20715df1a20c6e177dabef9587c08f0a84bfe1d74553855e4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9ea8cc873bb248e28ef289fc18fa7500

SHA1
3008d93a3ac8f325b23aff280b8a607d8ac0dabd

SHA256
d519ade66be2f72741a0a4080973245ec4f8ce0c7416e924717b931aef38a480

SHA512
4f0e13ffe8be58b646657ca04e90589dcbafa21fe86cd62a093c5c56abeab7b45b7cfd69b8b232b0b9c5fdb1afe5afb36fd766f6fdd452cd7fc78413ed3074f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a84aeac2cd142a640c5f4eaadc7b48e3

SHA1
da63728c19051e0d4b4243e93e8040badd8a8d4c

SHA256
bdf2f4f36de78b4a4b195b44d41ed68059a4f6c4c58cf4f18dc64abfeddaa722

SHA512
4ce02e8aba3d2dad3cb832acc7b2ec68ce63d3b2ecfc83e9f4405147a337c3ca314f206bdd59a7864cd14ca60b3280c5506edbab20428db400474b97c160383a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4bb3e143308a430e571e0ab4b62a7729

SHA1
d9b2fdf95196226b8777ec00789181a7d7b25dd1

SHA256
4f30afc99fcf9a2795fb17c78dd5e05601ed5e7a863d387e035686492c240ad7

SHA512
948298e73f1e0a11a0ea3f3f186bc13a47bd5fc621f104ce0ed46c981b6212a5dbf5136cb184f0f36428a5d26ed3aba6dfcd34dc7e72bafd803ee2159c7134c3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1f4594229176252cb9e40abc87617ecf

SHA1
74649405710ee2e9ddba4e99eb906e1d707acb77

SHA256
f951ab86fa70e24206b4ea9ec2454ec89dcf7c1eda64641458e1df477bf39086

SHA512
6768906c51f19bb9ee75f652593db27fde668884cbfa889015667e6580195ee8fcb53e816aed66a8a179f549208bc953ed46697db5f66d1e89f095c2ebfdd1ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
9f051f12a5fe6c2f3fb94d531ffc20c3

SHA1
39a02c0eb12e4d23f2fd23b0447238990d1b8d42

SHA256
0d5b80a535dcd070928a4d1b602154979413a66f34b531bbb475eeda05cd5a8c

SHA512
4064ee69b79cda898caf4904d10cde92eb8377d258dca7eb7513ec56d2346968312f37b434143c3c69a642a4eb995cc66777b42acb1a70c1301bcf48ba108077

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
62a888641a9681ac00b177741817d5d5

SHA1
bd0abb7143beed548fbc41cad027a0a1c7b81e83

SHA256
b4b807a45b8ea04f6143bcf3d5f153cf9d8c13cfcbaa50c76c8392e30950184b

SHA512
01cee5ffa017638556ff29688be44e67c914836b470d2d29c23fcb8f75a3c27904baee9119442806729971e6b3a85c27abf92c5aecde3a093a1920839a9d7241

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cba065ec4622304dd731756bed599591

SHA1
9d95e890abfa42c6dfbb516b96f6b6cf44fade59

SHA256
a357f09e794b19e72c134e37fa3d4e74230a2ec08c11b04d2528ce8ef3005155

SHA512
a9ff60ebe2b941e61fa9d539b60a9caec7cb408feb6929c40c2bfaec3d340d9d9c6d74a0521b10ccb91222d3107e318e1d5c8ff928b4ed8445a90a881be6f50b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bc92d572719be0eee8114dadad9bbd3f

SHA1
820d7f8bdcf40005f9c8075e8f0add3151a00770

SHA256
7992e0403a62b27512fa24777bae91d60c32b2f24e9cbec822081d58022b67a6

SHA512
96f4f14abd2b516ba48759f667076312e54318f20088326a7bcffe18026677992aa966844c29900458c370493ece95b58377c3f576d20e6cf489a736914a4e82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
55824672508c104619f09ccbc755b713

SHA1
7915ae21adc4bba7e49ec0e624b23b992fbbcad4

SHA256
a66217e220c405d99b8ec8a9632b38be5225ca18831673cff775260702bfeb7a

SHA512
2599e962b590b458c9c1d07cca93ed15b29edb3f589ececbed63743a12af8877fc87dcff413671c4c5c90d32a5bae7d852614bc9f078cae5a889b99d2962a506

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
913857f13e62f2954a22f8b1e4b7e1ae

SHA1
729ba433e7afb0c3cb7a922d05bb87cf20f2259f

SHA256
f5f4a4e41e30216ae7b2a0c7f09d96993dfe17837c11323b3f2495c5fc546565

SHA512
39f0e1a4f4c9ec5928d9c4c81f5bf8c8e289e8e42a7a1f0cb002e9220ed87f2e73507d153a6d25697bd0a145b0543629c837c0022c65a330b74c0ab13a8c4c17

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4598b0357ded7d377274c2645713fb9d

SHA1
459d945520f15559b121df69ba8e1f4eaee63dc8

SHA256
9ba59c63b36087474fd82ffd94dfc5943fe6850dfb266b38fc009dd3ec20922a

SHA512
bc8a2685b160979b9388494595eb240ea3475dbd364bba3575bd09f58e5722e14d5dd8f9ffd68dc691a74eaadb03c9cfe7e63cc52c3db154f5b9a2cb98d467da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f6270d22585dbbcfcf6f42dcbb2192c1

SHA1
cfb38500efdbf181319080fedd6392748bf703c3

SHA256
6e0b116fd03580d247584fb1a5bdceda2207db6c301951f1678d6eb23d1b0fe3

SHA512
d5fa60ccff67e8e5a712e8d1daf2950aaa40a16ffe823a1238d145b0af0b72acca64a4716c3d2932e2a1287d250ffdef81b80dd711e53476db6e8db60af04178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
24e48cd8150b471e4ffc20ec4168bf15

SHA1
41deb653f64e20a2d612d3ad81dcd2bfa0d77025

SHA256
8e35083a2d446c1d91bc14598a774541f6315575f5fdab9421e4f3a7c70dc892

SHA512
3c82a5c85d51eb55d7ef2910483e5bfb25c6d0c43edb6622f026f43bc3b060b18fdf01da9f33500e9c4f518e674a1b98f65f63cb6b1966a3f377f64d491af190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
deee84275adbf9a8e62685cb2cfd5ecf

SHA1
92e5494d1054013ffe680b19049b262897833c82

SHA256
2cf8d826259797d2ffef81e88a1a53fd6b524d723c51582bcfa197fa0c7bf733

SHA512
e603a295a809a00cd3a80736f7c7bc209ab54cd5501cc36d086a9193673c636e0d426bc81aea9407cdfb4f2f111cab97ee04d3b14931dd101105be5bea2efb17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
7d1181c867d2b4699e6930bbbbdc0e3c

SHA1
3d2736f1bc3da0b38b8e1d80cb8a39cedc4b8a02

SHA256
9b47729ceff08364e7d42f08413dace0979aecdc3e3380986cb89e9d23d3086a

SHA512
71fb52a5d6804e37e9a129df6ca2e5afcbc93bf49b1f3f4021b02f4fbbde64b1cbb068dab38032e808f0806d1f36a882f78a1f846b36dafe26300892090bedd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
67f2956f989ff34796ecf2918474c19a

SHA1
17384afce914540719d0b71c4cf50fad0b775040

SHA256
13c71b4483d5ccf505731b3399f75f0d3b8b3ed0906914adcd5315fa54273763

SHA512
8f38317e600e06f4a270c51e624d29c1d5c1369636d6e183a0c4c60435ba343f60b95bbc25b5b04e35884e538b740193176daee2b8bd559e8ade348a512fc3ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
80c41904e966e007795fe01ec0ce7b72

SHA1
4131f1380617ecb176e898e625fb0d4497e8cc7d

SHA256
2c0c4309ab711547769e494dedb5c1a55fdbbcb8a9f056034eb9c9f8f7a822b6

SHA512
c12d5b05f9523aed344ca3f20319891d3905956ca89947bb10fa91d4078cec1630e1aab0ff7fcd8f24056fdaf27b83a9c1948a28e5f8b4ce0c242e323bdae762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
9b1da07df8e21de3c0b16926ce7146b8

SHA1
e3f780496ce556e6fa5cb3e70dd8df32b8a03828

SHA256
de885e818f441816126ae8f662817b2f315aa8ddef54dda46431add734e1ed2b

SHA512
11802e117dee15c30f5338f9d6a9bfdc7fee0dec20d5448c21d35fc5bdd22671502245f6e6223d740ae425b1542e7f329ef061f6dc8986023f3d0fce8d2e9812

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
522dacae5c9fd1f4713b031d01855de1

SHA1
5a973c4d77375763d6664bd2b632d34a7ab4deb7

SHA256
6570e3ea94eb44b136757d630903ed43ca1673eb81cf202e3eb85e6d8abe0134

SHA512
2dcf9e9f4d28242384006c392b784546d7b205ee64b93099511d97117f307bdc0dbf9c220137d50d4cf82b454c6b0fdb9273f2bd09bf185f1962a98f41608f06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
a069800ea6db941e7db7b7ee7dc3263a

SHA1
b681f77664c4a38e263e365a16c9c73f354ee65d

SHA256
b523948a8403bbd63042023beb20f972768e63cc6f02610772a01e1030c5c754

SHA512
5c934c25032842abcb118a53443cd9a81d4f46bdaa58e6fa8664a62a834646f88d6736773f9b25d9b8378d537dd28324fb75646f2196104b552edbed94aeb42f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
276fa08c1b860d675ebb482f1e3aba46

SHA1
0a71546e4bb4c8452ada1557e9ab4cde3447fc6b

SHA256
67527fe7bd72a42ee883411181d31b119fed98ffb8100754ff58df757566ba1b

SHA512
a4f79fa433203b90a60bbc997dee36c9d528a794eb4b74b0438bbdfeab51e2ce7799bfba5bbef2afaaeb3aecf1e326ed7bf9a0d50693f7e562f9be4d1f7001bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c1b53f0e9e3d2324a13fe78736cb87d8

SHA1
0dbf074a14dd6cc68836249d67ce57e98ca8d558

SHA256
9467e1eb679482767545392bab22fafdf4a20dfd58ab67eeaff93689b5bfcad3

SHA512
e70af6b17de8c5c3f2e3270da293a68bc880e74465b68b14dd49ff3ed68bc34fa63282581f423077378abf4288740d75735e5417fe43fb68dbe1609dbc2b608d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
51e34b4ec56e35ae24b8529a3500cf9e

SHA1
1b9741ffcbbf7bcf794d8c8f5d7e0443dc472878

SHA256
08f0a03387578e20ea79f3bef9d4a59d72ee57c7d3eb7b1b4d3f977459ce4dd8

SHA512
ec934ea8182f2a7893d3a24977eddc698fda13b81af6ccb80df35cb836bbb48c70baba0a40c39fa6d2d6c958dc02970b5d50c15df01e40745fea7c8a4956640e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d9b08c030ef368d1d71812387b4e8d88

SHA1
5a7b5131e44842cb584887af7a6bc851b5302c64

SHA256
d0d1eaefe401af6d2c12e89aeca4e08a6a88a1750db6e19b47ae5a8203821e19

SHA512
61f109f3a2d1b3a08b7c75915877b694e26005137bc797f2cd63d534828b66a4ddfd90a77ef14863496c011e18c333f21b593bf6790ad16fd509a141368474f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c0506747ad9574bb8b63ff78749df664

SHA1
d0eba04e4cf139598f8b670b9f501b108483da8c

SHA256
8633cdd4b80a1bccc9be1d05cdc6ef9887f4a9345b250127d70f7be2c2a7f626

SHA512
fdb253dbfc623b2511f0d8af0db2593f6cc4375ebb835514f527ad37c427f1974c13d5433139be36e6b0ce30293804c1a1f6adcc4cfc0e4083f8ae1f5b3620bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d4d5657a517f1708e17183bc97146718

SHA1
e4ce49e1d15ef5c45ef79adc293129d397c7e062

SHA256
fd2aa76cd55e0c1bffd0c5c26cec375b1c41d4bb8a1050f480ab0d810c5ea276

SHA512
c1cf4bca7c427421e1529b8f44e6c5823c0c0736ec283de5441f71ef839ae560246d0db5bfa64c0b78a2aad2ede579ca795217d2e85f7fd01d8f2fc886f173a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
87221937daf247927748d5303e863623

SHA1
386259aac17b6ffc76bd483ad021f126a9cbdf2d

SHA256
2263c0e96c74d15bb059cca7bc597a3eb8b5d2689cf5b590027c28d64d54e72e

SHA512
da9f07d6c505d378a86bfb7a12edcf60b47d989902399c5fc42c25705b967905f43ccac8dc67ea8d6815daf93660759822124e033cedb76e3519a9334baf8a8d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7366f11e561982df525e7796931e7bd2

SHA1
ebf68025754a93b7243608e2c463b7b654777aa9

SHA256
37f28cd5ee285a773cf6bc3b6d719a89a59107b4e0501192b925fa4368a1060b

SHA512
228ec17ea3e42f02511c8605fb193078b09a8a3d84a2c8b957c66f58e8f6ffbc12ec2aa553717c1d3c2e2078f831e1fa453dcdbc002012d61e4ffc0a79d97bf3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6129eb6cf68fe561e76af663ef0a4ba0

SHA1
0cf1a39dedc0d4e5b37fd3787e493cecb07c9d36

SHA256
42ee3dc6eecc4694c7543e4cee6bbca908651b0037e9baa40f9c03061330cb77

SHA512
f6718e36551d05abce5f280740c4a4aceef0d8e9385bf905d7246e38e477e7be2794051e94d4a49847a75442cddbc134924b7723b2446cb1b5ff6b98b054df98

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
bc0cd968600738d6319a3e6550fabcd8

SHA1
5676e9aeb778b071db72ad4ec23b2d4cae2c2eab

SHA256
7ec5e00ad452ebdaba6b57ccabd914607f79be9c5fb187cc8e268827fc8b0136

SHA512
4d22fbda6a61cf1f116cfe0aae4ebb1d2c29f360f4d7e272da0d737617b2ae6f1dacfdcbd94ef512cc93c1d25244b5cc4a6ec3b47a40c6f39078168f1e601f5f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
83157c4779d5d3d188dfabd47bfff3b2

SHA1
b93434d553f3b15ae2b962ee1fa24895eb282d78

SHA256
61319a07f37d22be09653812f0c1f2ea8948dccbb4977956045f17264f7e92f0

SHA512
3704468387651986c9833e90c6346c561bb65ecf30554e7c01b0bb9b979c9bcbfcfd36a8db66601e58361f2f8742b75f11e04bf476531614bb9d4c365fc23d63

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c26e0ea4ba89d19c6dbb709f386bc2b3

SHA1
d0583d86415b2699d1ab03a7cc697670a9604b10

SHA256
7b670fb2784b3359ba014687230061197aab161f1e11e1c1c880fa6344efcac2

SHA512
94a55bad5457712445f70a7f591a5feb7a48ac6d1cc690c7db3959bf8457eb320d79dfb34107379e293b661ae1f882e0c571acf123f6a21d2a08f695b74d6af8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
266f169d878cbf26872884427a5f78da

SHA1
7f3521667e12b8c7c508c10128bf0f66d111edd0

SHA256
43edaf36ae1d646b0c99284d4b6dc6c94277d5843d3de8850d92a68be7df181b

SHA512
e397ac10cb3654a69a0b547f59a9d57348a3ba0122fa56fd6f4e868804959972ad6249ca7a5d6c3427910e1a56bd24f237df9f6e32af10ae40acf5510afd64b8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5e665c7960734880b3d7accd9426eb2c

SHA1
b75df8d04e1829aecc5295d13c2245127b70fdd9

SHA256
78f76c7b4f164cd74d8e8d892ec74519a9dadbb2f4ef0816cf5e6f1bab01e5fa

SHA512
8d3d030d5992bbc3402e025693d7a618f45cedbc8427e0eec1ab3719447367cef4a8bb383e7e0a457a4c6ad743bbae2e34f3af944cd8e8c7ad9e6d578be94eb3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
aa5d60c61701a7fcbeb26856b8c01b70

SHA1
6a8fe9a1558ea352dcecbd4902b1f4cda347b4b5

SHA256
37485878f278079868a9021c3275621514d699724af66893fcad603d43c08f9a

SHA512
0511de76cc8fa33b03b0da086e45cab42d87a69fd4349efc653680d642df5d41347b5073a5df9f720118e2ee0b7154bb4d8f0fdfd37ab16174552ec9b116e88e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3cc115a45571ae8ec95604d493f9ad5b

SHA1
134ed17eeddda64b3fe46eb21800fcf097363114

SHA256
5754265d6de62e898be916e036913fcc4c0b265dceb9ca71baba49070041e62a

SHA512
5c844b7e693c60cd8c0f1bda8af90e245cd7096b2194853174d9b3fb702f1b08a0ab7dbd20b39fafbeab138ba40da09473ea8bff5e0513615efb3dae62711af9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
16f102b66daa58a09c3cdd8b8b9b0671

SHA1
c25aed101654a1f079b40ef4b27d71f550e6f16d

SHA256
bb787bce1d9cde01e0dc8a1dc5817b4ff54d1dce3cbadd0fdf7942fa41d0757c

SHA512
005cd9c4ea10fb21ac74990bb1b504da369dc398beae75ef0ca69833e70277a653e71e2797c98a9eecc90fb899309820ec9d1214daa6b60d67c7bbd582584968

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dffc638b2ab8445341dc3bd85a52cee7

SHA1
c4259ab5d29b3188466a6b30c217df4245a4b741

SHA256
864e6c721942678d32674328cebb5f66c691eb1b0a8f5a1fd5926adf74068b80

SHA512
2af9e32a089069d5841627ba16574333b7fea8ce39df89c7fd85e03d00c81fa268291e1575bf9151929bf7e5ef2e3cd28946e5d40aa74026a486465d1c2bc7ff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50bd01a9795d12299185e15ce813b60d

SHA1
13634cb5be60ec55134fccccd923f147d819ed16

SHA256
c315c80c9de27c0106c609e86c6c06170844d84d5221bb1a67fd67bd4ce17490

SHA512
b6fde29ee2950f4993d0aa66d12934b88f7199111a1cdf9670e5e36aec3b4f746bc51eba0973beae12c5ba4dcd3c479d7a3be9763b50506b235c133a22478b20

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9b557f6299e998ec0c5bd0c98a0d77ac

SHA1
12b15e0bcaf6b8c88e713194a8d0fd8bbe3eb1dd

SHA256
81c6f612903f1a42228ac346ac9328b4d0ed9667358a337801403c58a2fe969e

SHA512
e1eec0ddc920d5cebcdc6c800543cfe3a3953582af4c320af48382042e20a8abca639624f5edb8eb7a0304c560cd340f50dad3a629b2917e5c3f030cd4de2a1e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
476465bebb3b874a9bf805d15476e60e

SHA1
7d23553379e5dcf353e38a167b74335916fd53d0

SHA256
08ba736bb136be501875b49adf845cb38a874085620a26125c3761132f93cc5b

SHA512
c3254af84e80c8173906467fb5d7a9e500c8f13a22848d50ec8f2f3cc46dfaf99ac01e597daeff54308be3815e5e781fd11a38a78da0fbd190acae2d5f8f6aa9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
55cddf45cfd2972c6984acbb6122300a

SHA1
bcfdbe232804762d566fc0183b9590c6b0105939

SHA256
904f82565f48398c77cada3a2de2e39d849b1df4f7185e492f617921834e175b

SHA512
557c0b5713ce96dfc4af34d14a3a08c5b0cdb7cb1c3b4798f0d8fc73a7e0f38e99608b9ebc48d4888b9b83710c840d851908c9f131efe5257f6884a8f008277a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
f9b7f2acf9ae5a598a25567a5ea63e71

SHA1
8d8e3572477fc27ffe5cbbaf485ee72d985a8559

SHA256
c4ab1e3c77a68dd805650ae066b6eb7cd659b753bcb63d16e6e2c7c6faa224eb

SHA512
8d0871c32de1540ca63a690aa492903dffce4ba804257019dd72a0a8441438b9c272c5a308374aec69e25ac56602582a4d0b51f9b78dd9e25a4d625e6ef7ecfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d9d3c2e9c13b5b694a55295e7dee9899

SHA1
d05779452090773a81e648bdf41c301615bdd8f5

SHA256
c821407b6ca18d3e0f5f90fc1d41c3f2842cef754771e073401546396843c463

SHA512
92f6f6612d4bc8e3942b16d04f63caeadda5198cf521a5c9e1809b68d2fcc4515baecd9a2a4e1900e62e0095ece8d1e723a9553d9ae2792d546d10c2448ddb25

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cb24e479ac529997195b6d1720926752

SHA1
f41c9d2ad28e25417280aa94543a3c8e65e88ac8

SHA256
6a49116b18b6232f9cfc9cf19babfbc3424e42c6000af776d1dd11ab5f68f3af

SHA512
337e3d249fe41c2426400fda49a45739f4b3edcf487337fd9faef92868039e1fee6a1aebbb35dc4b5f64cd37907d44e5efa9a16be59a266a761a1ef4269d721b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0ee778a2380591f8b95be1ecfd628a18

SHA1
2adcdc5821d5728e2eb36c8c5ee0994e4f75093d

SHA256
dc7c08059d36f2b7e852ae6a185003dba2e44ddf7e50b65f4ae34c46593fdf85

SHA512
14ee36f9370afe906a5c37b97f983152db7cbf10785ebc6189624fb4530a16e29f3bb56df751334d62bc9b99cc02d3b26334fabfe0114ed046005600c609b90c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c249418e8ccb5295ca79f053f351c9a8

SHA1
741e5d143cda392ab4711f113f000cf8e5fb3d96

SHA256
ac9395fb13aad3589b70828b95d8315d5b0a8c2d197cb23928332bb569885fb9

SHA512
cb46cb9bed885270b16856613cf2c3b575b39cd964e37d9273a9317b09a823a2aa20a0284fea233ffce8c7b3985c3a39d374809cc74cc45774a27af32528ca3e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9fb8ea26f545a60981109a5326699109

SHA1
ea78bef44a97408d598dca093e21be944d0bb475

SHA256
358d31f59ee78542ae7c7fea6789a53c9635bed00a35bbd7f065020a7d588bdb

SHA512
1baedad7bec32a65a2222a0a57e164803648d7c658f979fa75e722bf563501f20c46a73a0a0526ea8d23456558de0c31bc23dc2f211a1e1cacb69f23aaeed64b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
e548cffc16171ea5da26080917668c76

SHA1
79b04a46f697642c54db9a585d962643a30a2098

SHA256
3b68e8e1a329e37d3eafa61559fb3ab30e61f0b7bc9358ee1cb037263b79091e

SHA512
0a8e612804e6443832113fa4af55d07a8826c2b3dffd5efb8211d73dd2cee7a21a210215a5a7525e66ac21f709ea408a9f199f8152ec266da0806d364ea21a8c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6b7436ff5a082a7cc5c596e36c0d90f4

SHA1
b5df36c8542913f82ecb53e599119cce1e34c32b

SHA256
59ccff9f35030850ff47ab6e066dfedf46d5638faec8fb3bd4b3fca70369f3ca

SHA512
aac0840224082a51429b7750a3be0c646e63fb65acb5f4a788dc5d228b0fa7af0162ef37bb4bd2cef31950b0c39cc8de72b7ab505cacc9e68c1780ed3750e6e7

Download Submit
memory/448-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/448-593-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/640-277-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/640-592-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/680-155-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/940-181-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1140-84-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1140-8-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1140-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1140-0-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1172-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1520-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1520-179-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1520-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1520-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1520-18-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1920-272-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2740-591-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2740-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2960-156-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3208-154-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3328-158-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3364-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3416-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3416-61-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3416-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3416-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3796-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3796-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3796-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3796-89-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3796-85-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3800-587-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3800-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3800-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3800-56-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4068-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4068-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4068-34-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4068-180-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4092-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-586-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4092-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4416-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4952-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4952-590-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5056-91-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5056-101-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/5100-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download