328589c7e67b6b0cca942b762b56066b9c7b7f41e660760f1b1872b4cffeeb29

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Size

1.3MB
MD5

5a2a3612fe5c432fd073dadd147ee9c4
SHA1

ed798fe7fcb48ed9345ef35a9f2a7868d5dad65e
SHA256

328589c7e67b6b0cca942b762b56066b9c7b7f41e660760f1b1872b4cffeeb29
SHA512

cdae2ac37dc53ea51f15e6c6c54eb45a65c104e5a67bea55459af5351dc3745ef31e04f173ae554bb46a214ac78b25f295f592bbde5b0139dcf3066d254dd892
SSDEEP

12288:TtOw6BajMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:B6BbSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
852	alg.exe
4216	DiagnosticsHub.StandardCollector.Service.exe
4416	fxssvc.exe
2624	elevation_service.exe
2304	elevation_service.exe
3568	maintenanceservice.exe
2540	msdtc.exe
3268	OSE.EXE
1292	PerceptionSimulationService.exe
1408	perfhost.exe
3260	locator.exe
2684	SensorDataService.exe
4548	snmptrap.exe
3760	spectrum.exe
2180	ssh-agent.exe
552	TieringEngineService.exe
3284	AgentService.exe
2264	vds.exe
3572	vssvc.exe
1084	wbengine.exe
3496	WmiApSrv.exe
4040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e45ad5a4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000279e793acbb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1e83e39cbb2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fe65d39cbb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e0d939cbb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cb18c3acbb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b1cd539cbb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024a5de39cbb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004e49b39cbb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeAuditPrivilege	4416	fxssvc.exe
Token: SeRestorePrivilege	552	TieringEngineService.exe
Token: SeManageVolumePrivilege	552	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3284	AgentService.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: 33	4040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeDebugPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeDebugPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeDebugPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeDebugPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeDebugPrivilege	824	2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Token: SeDebugPrivilege	852	alg.exe
Token: SeDebugPrivilege	852	alg.exe
Token: SeDebugPrivilege	852	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 2400	4040	SearchIndexer.exe	116
PID 4040 wrote to memory of 2400	4040	SearchIndexer.exe	116
PID 4040 wrote to memory of 4792	4040	SearchIndexer.exe	117
PID 4040 wrote to memory of 4792	4040	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
58fa19650b7d3b6783cc1f2caade2a8b

SHA1
438cb88434d3789e4b468d9b28ad221c6e0e1ef2

SHA256
d9600753235a7823a4b09b6750c564d0fc15df9703291518e20b809aa97ccfb7

SHA512
e188c37ac0bd27aa7bcb465cbb41e26ae9d30772d4903310b7e0d74c31ce376d54c4fe80ef90fa44d7bd7f85a25603dbd6ce7054fc08e272717245609978e6bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
270f494505fb698fdb0214992ced1ba7

SHA1
f489cfef44c5573a24a01842bf2d5f2d40e42c24

SHA256
5a9a2dc7b9a9182a61eb6f98ea2d567fa1d7c4d5bcb77f3d18833974b8733f53

SHA512
baec4e2e15da729e8242ff53d9fbb856de7de8941941e3b1a1a96daa89eb8fcf441f3243c64e7ccf2637d55cb06f94b37b1a0d6c8ef4c768d0b92ba0bb5221b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
81163595a8796a73c4546559acff577b

SHA1
67ff6421709700da76862490206a1536492e66c3

SHA256
1dcefd0c07f3b0739fd0c3bc7f33c23c65eebf8e3d0f32bed16203e0f847883b

SHA512
2b2f5293f3b7ab60e7698cf3f9a1415e2371749a499ca343b974014544502b80557581b6d35650bec8cb6c052819c9c9e6e9c05892d57e983d63910b84891cd5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fcf8a2231393b067319081ea81243802

SHA1
bf9592519068e7a7fbebc4734a612390ca788bc7

SHA256
af58ad1249f96e4bdb546b5f86dbac7420edca02e7fd2ac07e0fd81764b25552

SHA512
a6c28c7636434d42560910287e96f2a1d83a2f4e22e1cb1381cab90badef9fd5f563a6217adf9e88b114abbb029fb4269a1c070471ceb8f666f3c1e55807e758

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
512c5d54bd8664ef814741d12da660d5

SHA1
89cd149f3339c1c0f572d30c03e2eaf562eaab31

SHA256
ddf3a5de340f75c5704f7d1f03d6e6936ee5cd66b1d68d2f1c9f2251fc0711f9

SHA512
548bbad2b8f1b1ae56dc8ecc914b4afc4394210bc440ea1506697f2748195e02ed4590d2e0725b6c6118d89983a3b5c9db32ee2056e636166d2e8ce114d467b5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ced785ea4046ac613b6e5be24118b7e2

SHA1
3967ab121a3a2fbc6badb7f3f6d728e9712540ac

SHA256
c00e597364c00516fdf8b5c599501a5d4d96b2fb714a39cdf90cf46e9bf26796

SHA512
658dc731e832c0436d8170fddd7ad430ceb8acff5a2c59dc7eb7306e03200d0e95ad1eaed98de5ba870152c7ce02aa8dddc1a2a936b1db3078d0eb19c63f42ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fa5a4c7665d0bd42328a819846349361

SHA1
0563534a132818ec6eccb1786b75b92c626ae809

SHA256
de27a456213c83f8d8ab4e7f88ee7d636a12830546aeaf2aff91d051875326a9

SHA512
c1d577bf3d4f4a52ca932e14faf1cd3b15d4cfcca39337da0729bcd65c6d4ea7e7b47d9aa24ac2841faf9b0148fbcc081195971867b995b65d03f5c0ac3262a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6393bdf0691a48be9f71e6a6f9ede9b8

SHA1
533576718f7bb6b4b8da5b04bc0c315794bc16d5

SHA256
1f897872d871de90380fcbcf9f5105c7cae88184ae09f3c749a93e11da76d9bb

SHA512
59476c40a68e59402fbf712520d71dfd1d14c9e947b3d7a0e537a2f5fa601ae8d00c67c1a998b4f197c254cba976c1ef5c538e92fe1500bef9808bd47bbffda3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
15292c976882242ebff7e5b7a630dad3

SHA1
b97c2a423ccae248412d18e61d4a0ee6122d2932

SHA256
1ecc02dbe7d2d6293c44e3ed7057b3625c4942c9d8fec2ed47e79a4b9d4a62c1

SHA512
b0b7a6d1716825da773e666405ec006424d450875a1fa207e0e16be78ed7ada2d76b3d512260049027d80d03421a073777271e743cfb0c49d689fb796db163b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b40c22e310397892b48f7846e28af0df

SHA1
d096699e43525f559556fa241be3fd730389539b

SHA256
28eec4e12c98b729b9bf874478c5ba1b77204a0c0c89367b861670029408d5c4

SHA512
083f838c3be9f08f3c430f049a8dee42d44d09670e7ef1fdedc7a521b01fba0e92affbacbc092ae3cb5dceb1aad9f971d1898862530274502770e6b0c412a9c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
53f7755016e8c09007afe8ced7c2ff0d

SHA1
4fd399d94db16f6f1941afdcb4e2f1e744983e35

SHA256
7ef8128dbf0db2c4cd158668fd667aa113a976105c35ef9c85dd32003e22c4c8

SHA512
08b77e9b82f2c314bef4e33be27bdafefe7ff09bc69e793aaeac0bf56c94310ccc93dda21c061e0d0fa80b31df0c6a0cbf808717aaa41eb7a678a74af88db435

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
68244d7562f91509347d5b85d9259aa1

SHA1
eeaf38c65b2efa6120bab71f9034ebb289c1d996

SHA256
b317ae158866020923c9aa1127997ae308d363a3dc454f6bd1583782b7db8123

SHA512
390fb883e48f9e7ede44186a0af7d4d0ecf0d2cee36021d012303063133e7b5dee86bb57232207d1710aea1453252d1de0bb267b3d31e4cb45f57f9862d625bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7b07f3d1356a5f9eb71fddcae08558e3

SHA1
a0e235fa0781c5d8340a488456d22bd0307a725d

SHA256
3809fcf6fc47d7b8df1267d6eb9d71e8c49b5aa63731640abff97471ab83211e

SHA512
4f05c8f68b54f861540cc97fdcc70ac3e5474042276294823fa657878c67b6d94a735f06b1e7cdd91e95b0be4d9636197ca15d8d5002aecd3417dd53ac462c60

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4975e1a0272fee6d2eb0ca246ae4d026

SHA1
06648a2d6fc1b0b738baa593a0e3e07cab1c6e58

SHA256
eae8d37efe7c2aa94e6e7d77ee44d31ac7082c9dd8a70cbb96825f05c20c0c4b

SHA512
bc3bd493c48d5cea1e7c89ede8754c36c6a1ca9df60bfc43ba79cf7077a3af22cafc51f1d10302e0dcf7881311363caa3d313a7993b54bcf547b061b6d2ad21d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2dfef7b18f7a2e890b22014ba1b698c7

SHA1
b0f60d055e49ec0896793140589df59d193a93cc

SHA256
51d56d2bdb90b37950d3386959c5642504be1ce26c3a4f83282a494660dfd0d7

SHA512
4c8bfb9f301185a73e775d3c204e255c36ad691d0d0117259681f4bd5e50d4b9bd780802852ae47e36798d5e8da1c2af49fc19e37bf6dedb9cdac7ec0374c9cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
04291cb34418d522851dd1ebcf7052a2

SHA1
1ce3115908fe9159d6bed1e241fe911b34088458

SHA256
3273533411cfc5967bcffcaaf9190041ff3df5e04844581c0d7721e2dfd57ed4

SHA512
20000ffaa62acb3cddcaae0a2b11aa45b25aadaa87b5957b36156fce338ba5b2e65c2d0e325227fccbf767d11138803c31285768dd684004e1ab4304304f792c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
85bc1a8166a817d7b7f3238c26b49c45

SHA1
f836af3baab4d3508bc809cdf43ebbb8967f3ada

SHA256
4546f91eb706745acd8b1a803cfb9a9696134a1d7fe8df88b4569b23703517b0

SHA512
3d134bea1453c97dcf0b4458eba7917fbf16e840224ca54f5385261063821e7ac69b9dad652e6ff52f767a89ee570dce7ec2454df8dd13e8d2933084a23846bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3147a41fce282ae19bb5de068b22d26d

SHA1
209b925420a1a9483e60f5b59fd884e787ae4250

SHA256
2f3c4be81074365134138cc31f2ead539ac7daea400bed588fb73fed4a62964e

SHA512
e9d1ac6b3df327af371aed04d542ba0f72b91dec63f4fc06619272e461d049e9ba076f123dcfb35695cbb44bd5aeae3fe0f8760a1d07097933ee1f02b6a2af8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8c506ff8f6bc84689f8cf8364e4525de

SHA1
66e00513d0a8ecf64fd74069c0725944bfbbfc46

SHA256
f5b833e6442e23540496d62c87206e68d3252bb8ec27163ad76565a9183b7d6e

SHA512
b3d9242d8ce861c3c3d3b431fcc6c86d3dd9822752ce7a82865754eeddd7668e9427f427ea85e9caf4263f3794050074f8322b98b7b83b7978c07ccac8b1005d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7a58ecd5bf4a096e2a34a34432f7807d

SHA1
8783b7413a07b20b1372c796b8fd7dca052f2361

SHA256
c45b16bffe9fba9ed11ff84029fa714deeea126381c88f89c8eabeed98a87c9b

SHA512
343ef9fc1a7d1e2d6dd33e24ad797fc63d7a16bb4cb85893aff9a20ac09dac54ec87718181aaf8325300a6ffcadea57c448c7fe6f52ea6ca2002d1a161be5f4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
06a1aa1c320d0a454416e57572110ac3

SHA1
a7636aad1f377e31466e2cd9add427b9923c8be6

SHA256
3cc695a21674bbbd972a3439a57b23fa022b2541939f63ce05c506cb615251ee

SHA512
fad12898a8c50720856cb39cf62e434a5c56e29a02159edba3337d47af4513f2b916649b1eebc637275e839e3dd40f3a79c19389f4c7fbca1759ba237debb6fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
aee37187a259108b84976139f00810a8

SHA1
7d8290493ba0dd7d55baf9f369d5433fae5db0ba

SHA256
1bc5d962a95d8869716420434a47c83c89766162b1eb2bf66a7f3acab610d5d1

SHA512
d2606aef9ac1ee98aba5d9b1e263e222d58ed40caaa6925527c112515d8ec7b7c462c4d1cec74b42ab233e7b5aa41a7e6dc0bb9f3650f0436fa93039ef0141bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
52c10e4219c97194c81e5f21c4096173

SHA1
ad8f647e816324d5eb4302ee91ae6f8bb542e88d

SHA256
b5cb90a8f3d0e4e74215ace1ea413d160e76309ed6bd40f0ee54d873ba941cbd

SHA512
48a8f46d4d76111905a44d9bb1d5fc548ae204e9ef23984e29f78e351a3431295781786dc4230e1ce2ad3b118c65b4c8aea95f912d0df274d796510667d7c3be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3d4de288c6a83f4e2198c45a3fadd102

SHA1
70cb18c2f15bc8d2877034db8788d27c9a4faa80

SHA256
05824a0c7aea187e3fa60358f174b574647e21883a92e3565eecfc8100e1e506

SHA512
614d7c7b7d285a319a71bb08eaad0c2df9b945ea6b3bf17354510701d49220aace8edaab900dc0250f4a60d01824b21be32203841b16d966ad51aeb7050773fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7374a6d42051d1ee71aadd9d98c20396

SHA1
12e09534ffe0397b86dfebd390b892dd1322d4ea

SHA256
a7da81b8f45c710c639427977b8f16ddd6feb336dfd1d493622bf1dce9e80af1

SHA512
668d974eef23c989d18bba236bdac44d3683c6f553170128d2d1f26baea30696b294285395ddf124f1d8cd83841dd821a3a15b4baa9db15154e3419671d6c63f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5d679f58515d5f32e3dc6761272f8c18

SHA1
0a39bb37d6ff7af1ed1215a8e496f2f0e288a2fe

SHA256
5e3c8fc377222fb49c5e79a62b3cc0fd476f89b712d68cdfbc6d21a63650e856

SHA512
01ee2d91ae35ac473b51cda1f904d23cc4e582e0d5a2dc78ccdb824774b0a980402afd68ab64bc112e17539ed19c1c590dfefba2357af1d3faa190fa63773b5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e0898d8d27a26b0bd162873cb90ddcd0

SHA1
38b2813778c3f24938c915290d4d93e30db7acf2

SHA256
446a35c243c1637c626c82c03b2e1071c8e3e30ba3d3fa0475525c7ff47bbf53

SHA512
ecd76c04952913ff562479643cf714cfdb84987d545d0d84608869064f0beb2a9368dc44fc6f08d912057e31f66c97c9f2797547c2ad9b2c7fd2ee3f111825dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
61c9df76953c253d67611a5bc8a55c4b

SHA1
82610e4a5468bb3ab722fa5f25ee0a04630a87b0

SHA256
3e49c969e265e2ff45a369b2dbee5d6977e424daef5c47dbfa7c6464b19f9708

SHA512
3069c04ab0e75401644e9b0e8841263752ffcddf161524174a09fa03bf6af0f6591708c4ee7cb5afa69dafb5bd82f97bb24df5998598713b611bcb7af0f0753d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b4d85f79f7beb20e6ca20a460bdb9d40

SHA1
2a8ffe6caa5118fa9251fca135a4f8cd03b7980c

SHA256
347712aa92c688a208ef108da3711f7b466ff16459c1a54b7a48e35961724e82

SHA512
7e4498ea8090aa75734181cdbd54ad19fe9f1e79216ef31e3db948ec86f68ca62cf4a09aefbb79705178f5a52a402ed0f28248527e393d5b69ae3f1298ee907d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
52c331584207e28b730912ecc61edcad

SHA1
0e96d5e731cd7e97282570c7c4e42665b1ebe4ed

SHA256
073c81aa5f4bf7638ea094d491fa6dd4d937fa727be294c6ae2453b9221fc577

SHA512
88840b98cf0b007232ad5af2f108ed6231a83248a77663f0ba3974240c6a984c62d2c082531e5aa67e1f15b8a76cec7a241488c2eafd2f599fb36869e0f62d28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a697d44febfdbac12d118d0aa641cec6

SHA1
afb7cb53252e27ac9b836763d0490fd42fae5a7c

SHA256
6ee62dfe54fc7f0510ed946372b0c6e33045085037cbaee0a10b45b68402d074

SHA512
d3ca136de2332ff4dd4d0c24b6d5377e73e1d858f418eaa7ac0c391a25a27f8ec2c675caff3bd84ba3639507edb424c083ef754b3e7e41e79a25444419ec22eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3052f7a88b939d930831eca35b4e5e5f

SHA1
62ade0d44c5411ca02b2aa86ddff59bcb4949a3d

SHA256
3fae67d88110650a0a6500ec318035c8685c24597f8ce1221bd5552f56c8b75c

SHA512
3a2592d75441ab469104d59f362cc201b809f9895e67bdc9017e8186757bdb8430c5f78ad61dfa41436fdf831c69943ce8d1e8d7d0c707864aaed9c3a4a485fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
4c8cbfa2c8bdc220a8fbeda47dbf111a

SHA1
02a01a31a4bfc90568eb82028ee1fa33bb1975a4

SHA256
015c6b786c8e2e060f0918ec989b5598381f6394de0aaa33599c74fa804da940

SHA512
ed42f25a6525c432b1f6f76fc253d972913daa8b5b05f1c74428ac9a384ed5909ccf8c4938d74cc9f009f7d781bc02e4339c0e85da67b951cb97fb5f62f80ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
be4774cae97ebd102e53f114089510e7

SHA1
6b4ad65864dd201b7a08ca14787aa393ea5cdbb1

SHA256
5dffa3bee5fba2d7e9f67d9e9b2c4211f09db0ccfb5a94e7ab816804c5dcfc74

SHA512
97953616d2a7d790ffd6865adca7fe020b61175814e5e3e083c5ad8c52d7a1b6345d53c69a10f82db3408e9f5c4ef10c1281066821c175675b1b936b4041287d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
29b3bf08871ac88ea356e084bc09cf54

SHA1
8a3c07d3d0d0fb4777cd3cecdf4433f6fb8e5c1f

SHA256
50eb69efc8b1885252604c293d4c0e4a6d714c07fefe23d984514ecdf004da6a

SHA512
246db8498e5e3acd5d3eda715c672ab483891e25c1ebe9ad782e0334e87920792320fe415d85918d7676117dbde22b379f65f89d89a985fae4f69c44af5909db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8626d49b5327826c92776ff51c8826fd

SHA1
92052419699fdccd5c62a5ece403f06fbdd925fd

SHA256
d60f12cbe2547eb93c36af7d496d0339cb0a46ff7ef1d18b0e3c0493cf2a10a5

SHA512
5a147b8216a96243ab20b9c916e35dc7e30f305f1c3d0329c8fc607eeb284bcbbdf72a61d13766d6974cd171d6fdfb82ea5c6c68b25dce45632bfd7051dc8fcc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6cf9ca2445ac48e5736a788a888fa1b0

SHA1
254181a6b0f0b571b64970ec544ec6d4892644a0

SHA256
b4fe604998e516b718e2041785e6b3bd57ef1c79ce63b7e5cb5ce632f27c86bb

SHA512
dbc539adedb242957043ba3974e51c7a631bdd132fecd2e9f2e328f6c96e29355ef943cfcebd81bbe787b03b0b9b4589bad422cc75808c119006f0430b7d9e74

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
33c6eee557423cfaff9e236bc3530a4a

SHA1
f3eeaecc55aeb24781b89e9f253cdd8935a2518f

SHA256
b788452ad6207432985fb2bfa9271d25dd16d23d7f4c712f87cf33e7561d1c03

SHA512
901e43c4976584fb80be560cb84519b778b5eb562070342fb946ad14749b0e81ace7cd0534ba5cd7412df6c92dd43b1ab1c1d417d256e6c36aff8f60d07ab040

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
30d731d7699d83c4477ceb520d349bc5

SHA1
497f3b89bead621ef3aa12421a66a1d248bc7d03

SHA256
a0ca69f21fe9194e39c7cf0ddf9deab0ae3d5ed7401486edfa48d1b03b703be9

SHA512
005e18c3e4ba9c634e9d8b2392b075037e27bac19d29565c6703ec4c7924bbdadc9d100f495a529195c2a5a860b1afe6789d5f841074484fbeff6cfafbbfdc86

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bf75cf92ffcdb9c03d959e61c39fa497

SHA1
9e4fb02aa4a6beb87a75439b5449eeb41f057fc6

SHA256
3d09968daff67d958fe76f99c5c3b0055f64b1eb9125c2d0badafb411cb2fcd7

SHA512
dfa25770640cc0d792eb99475a9fbcad66a5abba0fd7a307cf1fd9b528993add15565effe981190ea925e476aab722ff9254a40f41705255b1ae4ad65e20184e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
9cb35cbe8fb73818183c7dce0d17cfab

SHA1
11b368e705f97f95a81af616f66069810e544cbc

SHA256
de4bc7315baa5e7c2bbc79dfc56a0bd9f3e4074b5fedabbf9042d2bd1dcc433c

SHA512
3b2a6cdefd9707e3ffbe9791cc1817bf2663446a22c52ba040c9f7853ecf9a31139417bb9c93c2d5c2e939ea184ae41bfe8c5b77524f83bcc75c8770d6053172

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf30b6784fbd218ffbcf31665129eb2a

SHA1
5ced4e0822bfb777c440e5453fe3a648c496cdb7

SHA256
392bf0dc283ae3060e3b0b770c68fb06657e841a643e8e3c2afc1d931c09c99e

SHA512
c4345edaa99a2b2338f122fa1936dd944f075cc717cadaf565ceb53752abfb6b63b5b8e30f4b4553f2953d823d8227614b15306480fdc9e317cc48bba02ee192

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8b7acca2a309a72d3b120aa10364e8a7

SHA1
d471fe9036803921026f0aacb4fe1de6f531c893

SHA256
25da609a294bb2de479225871c0afa9efebf3ad055cc213aea1c900ba7f976f8

SHA512
3b866a65622d8c1407181abd66cb76e16b5eb46478a81c46b6cb5f2ad24f5259e9f10dd7183921cd88b135da445f011731e3cbc43a6941c75f73512146e6adc9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
280f1a9d0b93571d0357f2acf760064c

SHA1
b12d71c57e07f6e8bf319b988b9ddfc050fda707

SHA256
edf69e72c103818cdc88f47da80333ca51b9b42a41bae7f7393b6145b552306d

SHA512
0548de89cad23c97797b47909f36abe86ed0b9274334bc67eaa5df8c6f71967dcd05d6e5129b24418cf41460b23851ebeb4466aa7c418ac8ff185b42673f3cac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
a54ad2ff9bedb4f466950275df0a377f

SHA1
663a69f3da1a1be2a98df998cf3d83fd577bc9c6

SHA256
35dcb8024880b0c2e6d4c5dad4d9615461440328000b1f1106c70f42615adba4

SHA512
1d4146985f92b5cf7a3161072ca5aed971832e0516f4f21d6ce32f4e728bfe6ab8e4ce8eea53bfe2e0c7ef8f35ce67ad5dae218a235bb3a2caeed450f824e8f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
afeff38e1a1533a2a2b67e1fbe521b50

SHA1
198af7c1cd777acf773fde2da990e7a4bda0148d

SHA256
a360bd48b2d0090acd9606177b78ef3b75fadcc148e2a3f51da8751542d92fbd

SHA512
f970abcb68fcd2b4e1019c0ff2b9cab9116eeef3e037e71e4c0af6ca067d3a09b68a3cd2f21f16e6d745c250def7354ad3e143be72a4cd8c41f817b76f3e9edc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
084310ee98652de9cfad8e5f55df665e

SHA1
7840436655d5b332be55aa38bc8893e9ae5dbc54

SHA256
514e4a8ea1db6e39d172b537c93997143e569ddfa5227cef23542134a221e181

SHA512
f5868c79a047cdb612b100a2146ca5c411613e9964e4a66404ce201e0599a7c9c386961e0ca790eba71f2501cd1ed4b78d93360d21143a9025f8ed2f1e2cb03e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2e2197aa024f442a6e6e399259f3bfc0

SHA1
cecbad1a6876ea2e2deb11a61e7bdc17a172781f

SHA256
dce5386280bcb80cdcf60c8e8edac2abed7edeba39dc2161dd38866c067bb7c0

SHA512
dd18a3fddaf7d6bfc28a03e64947733b899fbfd77790726d48d5d3e1612edfbf5aa95e776faf41066d80c4c7140deb77f7dfda453c85206cb43ceae5d1cfc8c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
53be2e5ff1918bf19ca1a3a2868f6f52

SHA1
97ca8a77efa9fe4636bc2317aab801dfa4de6a09

SHA256
b7ac644cfc3c0e5c43fc6709490665deee36665aa90ca62b94139f731910a03c

SHA512
d03cd34b4b8be813499be534e4cb58c0c25464afd0373318e644cb5fab50c2caa5ca38ab9cbada952bbce3568dc436d02258852ef9b2fcb6926e3ed7de8b25be

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2e351694b5f8042f71af685e596fabed

SHA1
c2bc228ef4723920023b97ab651ded58852af0b5

SHA256
30b2e35668b182e9f8175bdf2558bc4eb08bbc1edf5d3605add20af178dda668

SHA512
aa7bae201325ebd2be65c0af4aa705b86ecf541266292fff3e0f18d723b773c88f342fc0d11a748d6522b2e891dcc80a4d0d550d991a3a1743c00fcb22c4f0a4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
eeddb41ccf056406ed65c4cac7d6cf1c

SHA1
f064d6fc9d22e2add2135a15372a739fad372986

SHA256
dfea78f8bb001773f87d2bb6a3c187f31ec427bc5090037e688f4e87ef254b1c

SHA512
93e449669bda75ff31e8834214ffa6e347716001fe16892a5214b5ea6a9409c7816ba5feea4b3cb7bc234a92efffbef2e9114aec98f24a9c105d29a39fc569dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
932e4d986162ec95d12743f97eb3ee93

SHA1
6e3ef0085d81ccca8cab2ac51efd591854c27a0f

SHA256
5cdeb058ba026dbaa2397236b1a0197844db4744acc8df2b5292170595879932

SHA512
59f06adaa52eba894990e6ea5df1bd124c5d11691062792ab72da093077525648f0f4902d0dc39e65fbd5b928e8ddad293c32d90175a6736cd40a96487bf9bf0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9b618e59a006e13c03431816dea7e4ac

SHA1
0530c98edf30de7287c6c8a72fdff9c4ee1c02db

SHA256
06a8b7a9f5dabb4dfb1bff1bc768a193b952c1b54f41b4950844d134a4094c4b

SHA512
21d8be6f0de6f41062c4cf9b20874820907ab5d101e1381d50b5932550a05fdb30665680dc4611c817992f28eea01bf444b24d4ae9dd0effbc6aa97cf329aa03

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3facb228b8fa391f228ae74b7cbc3e9

SHA1
6aa4d351aea358ba7638b780ca94c4c17d2ad993

SHA256
227ae50eacac7306a4c3c6fa967c234cfa61591e9038d76a35d8b3f172ad5d86

SHA512
bac1aacb2ea269f8fa0f089ca4a19c42003dd32b79ee408ccf861e81420f2bd330fb002d37f6fe5627e46a7cb1fed49718eddb42e44380ad28e36f69ded6b1fa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
23d81083c5e3a6a5cc31e92feb529cc7

SHA1
77e28e6361f579c8bed41221830142f48c8a1674

SHA256
52852c9a930bdff91543607c2f3e9b0ad9023b1d146b1a5d5217bcdbe4578d32

SHA512
b8904bdd54ed81b49fb30867dd683018762ad99addd6e021ba5b358971e9bafd5db0e14b9d9dbefd6849c6a622da072d0f26aa8d88f31341107dbf14330a3e41

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7c771340bf7fef7e4537f7444ed33a20

SHA1
5f0670df24e7237406838b4eefaf5102cfa788a6

SHA256
1abcdb9e1aca5390ff3dd3d54f088a923b5cbe1c54911414727e0a8c3c07cb00

SHA512
ef0fde71968c27df8a283a26fed210a465f6eed41d577aaa587a647b2a8b71071bb264b4d896bae1e19e367bc48590939b5603ee0da7897a7aa103472e60d8c4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fd381ca55fc1e63d08d435278c060959

SHA1
420371787ce001b3e7af671128087a91bcb3404e

SHA256
c2c39bc39e82fbc98bf93553aba7686ff9e11b69a18d45473f7f4318e5a1f7a3

SHA512
4dd2c01b2486c64c9a9455c1042b18d10e2661881472b9889ed3d9107be8591a8cfc44325a67261a13bcb9dfb4c9cb212de7e8e3d1b1c74d5a836e73f3e84fe8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
0bfb151018dd234c1bdf75b24b17428e

SHA1
4553f1fbdd1f0237ee81880f011b32403d2c624a

SHA256
f12003ef5037b93eba912ad00201f6e1cdb72ad5eb910957a54e8fef1764206b

SHA512
5ac4f0d9f8fba7e4e9869fcb9b03af38e58cfbf330de1b71089b233ec2a9ffe143be65a8f4a4fd54e1bc098ad42e8f97be352d05769fd90620773e0ec13bdd9a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8d40ac90c956a4b474ff985d1586cef9

SHA1
bd6eecad4b9b30d3587428d197aa616f5aec3b5b

SHA256
06062b11d9e61a705348b36d9b9bfd6c398ea70b437c8f749d0d026708275451

SHA512
c8b0e0ad2f67eb235c1308889f4090b6b09357e5cfc2081e1d9eda46bf67fccd52ef2a5e9378b00717a4722e76024618567d38a142c05f694eb909afc9c691e3

Download Submit
memory/552-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/552-203-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/824-6-0x0000000002260000-0x00000000022C6000-memory.dmp

Filesize
408KB

Download
memory/824-121-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/824-1-0x0000000002260000-0x00000000022C6000-memory.dmp

Filesize
408KB

Download
memory/824-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/852-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/852-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/852-143-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/852-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1084-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1084-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1292-122-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1292-240-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1408-125-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1408-244-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2180-192-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2180-605-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2264-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2264-610-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2304-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2304-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2540-89-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2540-94-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2540-83-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2624-47-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2624-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2624-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2624-53-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2684-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2684-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2684-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-256-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3260-144-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3268-228-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3268-110-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3284-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3284-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3496-257-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3496-615-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3568-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3568-97-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3568-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3568-81-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3572-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3572-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3760-508-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4040-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4040-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4216-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4216-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4216-32-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4416-67-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/4416-42-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/4416-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4416-36-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/4416-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-159-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4548-451-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download