7f455cd406120f4164b2788512a24b6830a379701eac6be120adc839b1e7bbac

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Size

1.8MB
MD5

eed22a84d653ab594c1d41eb3c6048de
SHA1

76ecc6242cda811c622f73daccf954a4a2a79e13
SHA256

7f455cd406120f4164b2788512a24b6830a379701eac6be120adc839b1e7bbac
SHA512

69b799b4be8d4a35333bc42f6de512451730e41fb5d75907f0288a6be7b13750fb01169604f85531889f2ce46945bb312b25ef11af16a69b2cf15f6d2f3082ab
SSDEEP

49152:tEW9+ApwXk1QE1RzsEQPaxHNWdPGM7nmoOl:h93wXmoK+xB7nmoO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2872	alg.exe
4360	DiagnosticsHub.StandardCollector.Service.exe
3796	fxssvc.exe
732	elevation_service.exe
2132	elevation_service.exe
688	maintenanceservice.exe
2404	msdtc.exe
848	OSE.EXE
4136	PerceptionSimulationService.exe
1092	perfhost.exe
244	locator.exe
4304	SensorDataService.exe
1524	snmptrap.exe
5016	spectrum.exe
4220	ssh-agent.exe
4112	TieringEngineService.exe
4968	AgentService.exe
1648	vds.exe
4296	vssvc.exe
1988	wbengine.exe
1548	WmiApSrv.exe
3396	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\83dbc9cfb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a73e6d255b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ff141d255b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098c697d255b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af60d3d255b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dafe1d255b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003eda8bd255b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028d723d155b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000744cdfd255b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea4d1ad155b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeAuditPrivilege	3796	fxssvc.exe
Token: SeRestorePrivilege	4112	TieringEngineService.exe
Token: SeManageVolumePrivilege	4112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4968	AgentService.exe
Token: SeBackupPrivilege	4296	vssvc.exe
Token: SeRestorePrivilege	4296	vssvc.exe
Token: SeAuditPrivilege	4296	vssvc.exe
Token: SeBackupPrivilege	1988	wbengine.exe
Token: SeRestorePrivilege	1988	wbengine.exe
Token: SeSecurityPrivilege	1988	wbengine.exe
Token: 33	3396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeDebugPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeDebugPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeDebugPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeDebugPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeDebugPrivilege	4908	2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
Token: SeDebugPrivilege	2872	alg.exe
Token: SeDebugPrivilege	2872	alg.exe
Token: SeDebugPrivilege	2872	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1664	3396	SearchIndexer.exe	108
PID 3396 wrote to memory of 1664	3396	SearchIndexer.exe	108
PID 3396 wrote to memory of 3224	3396	SearchIndexer.exe	109
PID 3396 wrote to memory of 3224	3396	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eed22a84d653ab594c1d41eb3c6048de_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:244

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3896

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f7ae012e05e005603203fdd1060e82d9

SHA1
14c3eede6425acf91f6134f968cfc4d92d01ee64

SHA256
84f04671cf1e6a4b05dca4dcd461aebf033509ec2d4962ebf11d8fb79da6c82a

SHA512
da2d3655a7196e7629563f16fd056b4d9d0343d74869e5217a7928412ca3518f11d3ec8a42fffe7d1bfc80fe260a51ea1d2c0f17288279176388dc3cec1d27bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ec3aa84e0860ef5bf6086f6c5c9738bf

SHA1
e7acb46111e7ab85e582c74c1479c83cb31930f5

SHA256
098e4bf3bf391f31f1e7da3c02d25708a056c3bfc75f22e59d4b3b8652569d69

SHA512
5a138955072f72a331fc927ee95b23dd6ba7f5abe93ddc58f89c8e607b810fa3219e7cac1ecc7ee19ffdcdd8322a4b6439797c6f82984278827e96d6f7c3e37e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
526e422680759aa0486e2d169c063c61

SHA1
f70f370437cdb9dee0bff61e9e2a4576f0ded2e3

SHA256
08b2699943a5338983ae2233efc917f0eca1d17c13c7082177c7d3824bdabc73

SHA512
0a9cd336372c7cfa2a9dfe7d21187af85f923d2e33fe793bed357e29a4319e3ed0e6c8392c805d703540c32cf2c683c736f560f4961e4535e9f21c890979c676

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
be6d8ccee7076ffbc647abc6183ca23b

SHA1
2da3968fd5388b716bdcc2545bc492b5f8bfe393

SHA256
3ad327575590e8689f39c4472b3e192f3ed0125e6fb2d713580e1e38e23a3b56

SHA512
17bbd87a90b13ea57ff4bdafb01636a36a04b646121283b286dca11f1b51930a171d6a643015096d02e1f6ac03c7a6734472b6d9b141c84ae728ad0ee47ef2d6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3fe6706f153000c605eec432306bec46

SHA1
dc5644ca86c82c07d6fa9f5a513ad20b02ecc1ea

SHA256
7b081f65bbc38877c7b1381a25d7c0e30e6ea9a25f10bdbcf92eaadaf260c4f6

SHA512
90edc5badbe8975a916eabadc7835793179ffc9668edb89a101ce355a5a5b94326b8c3dec04fd550c9f0bb34bae8fa3a92d5b263cc4ed3bfb9ca2fc6cfe301dd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
002a0a37a9162996667337ef100003a7

SHA1
6658fd81efd42ab71510679447f3ec5e13a897c6

SHA256
5fb13227d65d5f49f86b4c5c62fb896fd317e4e1239981374da220e9c65797ad

SHA512
7e3eb9311dcf758d192d3fe4302247083e72a6eca52d568cedfbb5cffb3a1512a8b950389d1a356dd2a0920676859c19ab8ad2aed4476e1b45643dacc6ccd587

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
beb3f8c6eb8014359274650761c13ef5

SHA1
3cd00c7176ab68cbf35e0206a4891bd206b31fdf

SHA256
eeda1af6d5fbc7f738d5131afdc1cd1f04c5748a503c4d049fb8f40d780ae782

SHA512
d7a35ddfafe96609579bfd041fa7e7a11059fd791b48724a7aa9c5a31ed750f12aede8a94216ae18a434707d06ffe6fe89a6a6bdf4693700450c36e4c9deaa04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
602b5fdf7f6cc2d3f24a3bf60dc48290

SHA1
dc697a9c4c531b4a26fd5227bf80afe2fe617f7c

SHA256
c5094d5ecbf807de494d6878b9aeeab3c3120922b164072e33ce171543a14ac7

SHA512
86458fd4463615b96b8173a92d91a3f4b7e2eb7f8df62ca95605cf3aee9a970ee947febaf7e0faf4cde1b222c1ef1c108ebdb91e3422e39548e4de1ab277c226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7e3bec09d69a6f432940d95fcd3ea8f3

SHA1
0db96792ca24e7dbb348c2d958ad9311cc891dab

SHA256
3eca5686106baeb23d9b9e038191b45447ca32ac7ed705773a5275d0ff5546d5

SHA512
12b4f6245249ec16b6b7dcd27270c3f472404b9541a9bf393f4b36b4337a7802eed5757056468b3426a87c7399c9f1eba89c03c13b50edb29019fe6c370de152

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
20657684d3903727becda554c288e8d0

SHA1
6d086c3cf4a604749956dfddb35fc0c15ffcae1e

SHA256
e94eb99bd58cc82e5773c0f482c91b2a9f28668a00617a9b7e8d8410d5728c6e

SHA512
d670b5880879ee40dcb1bc20de9e750f01e2ce0556c61d2daf8b3d78e2dbdfd84d636ca7f993bfdf4d5e14c4ccedca8add882dce75fa10bd86acc41b6137d0ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4f81043e8162bc58f8c37ed540464c61

SHA1
7bf46d8082497d84aab48b486e1a7a54d6c99007

SHA256
86bd7a1f30cd0fe08869fa5193848b55590f06e11d87cfd1d056f1b6b7f4a5d1

SHA512
bcfba59ab96c526a5b2bdc325786641fea4ead05cea1b9527d66b81f3c7c2d53b5c04af26ff35e5504003362343d4dbfb5aebf91aba54a56a9ce810688214ef5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0c0c7739c05b944eec63f3c1d8ac60f6

SHA1
2204a95358bb233c5c55846875f294bbc1c2a8e0

SHA256
e52ca6d9d04a95f0adf331c0f41ffa57624adc960ea13273f7e2b498129c2440

SHA512
f80304ce931080947f1f0597fec80499e1d722eab2f11cfeb23bb9bb7148e96135d0fb2a551d4e1905aaabf34892f1edda1f936bc2f192cf33c9015eca02d6ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a305ef348597657deee3609d47a486d9

SHA1
85ca467bdcad155722c35f64cafa39123378f461

SHA256
922b9a2b3b53c1a1e6e5c75394227c45e66c45bce150ad07bcf9766c2ff7a818

SHA512
55ed5e77a89e32bee6709de585a8a6c8c461c314765f2a8044fea44d07ebd4c409075057f2464a000f6524e6bf1463d2333a1a298ff5676bcf403eaae24fbac7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8a9c393bf21b5f31e56744341f4d03c0

SHA1
8c4e22011a0d8717e5ba904500078dc9e07dc8e6

SHA256
607b81f80a0a7ffd67dd0f7ae4066de70ffbc3e9c9c7949dfda5326b989c7d45

SHA512
a64f13cd20741fe6a8725a652c113e9134935d09baf022932a6e5381348b36cc269e62463f096f0da5b0feea1cc6af11f281898ec65ebaedd2af6e8ca159c7b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
555e01528849ab01dd75d9ca1969d920

SHA1
c8ce4417ae7ddd80a16091ffd984eb851a9b0f68

SHA256
c51270e5062e85b987d7d1c8c4e080d020bb7dd5ef927b4000c4da49f7620c12

SHA512
8bbffb9bf61e01f620ed99fc15953feab38c5acad7280fcc2ea88fa1ae67a045345b631c404c1ba85b2c8297f4335beb9ba4b9d0669ac0d7995f2d8076cb9b03

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3c10e5ca9df92d7e50ab86466efbb65d

SHA1
772bec478afdc1ce37ab6853751f5418889b8c4c

SHA256
99b5de446eb0de8db8a017f4a43283689f56c28d33fab68486ccb42dd0aa2d3a

SHA512
e2a5d3084722c1522b5ef4a686a9bba5f02934d4639b27cf49d6b9d55e397876569ec16d4bb5d6f9ba2aa6c6e3eefd8a0efd316e994e8422ba917b81736a33c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1fbced83bb2061eabcdaa490b03ff0e0

SHA1
7c0ca64e99f3b04dbcffd77d4f3e0551ed742d44

SHA256
f2a5ea318ab844f15ad8a0ebeaf82c1c8f7ce4f47a99d53b421876372c84c312

SHA512
317f45bfdcb21a644a394ff097bc268699d5440b4d6a4316fa5e0147c2ea9c50dcdc79d52488144806f644bde399dd036f6794a76a3372dcb5238f4c430ca21b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4aecf6aaf04bc3f372f9f27e8586cd4b

SHA1
fac1dff4ed831590ae3847b89e0a422f673bc8f9

SHA256
8a644a47c4a13f2ee7a69c2ce51143918625b0824a89db02609ae9e6d320d2ab

SHA512
4e9de0acabf53fe0a2ec22672d1c8e3494abbf1259901e5e16eae13f80911b6cfc1bfd41aeb9b92ae1148fc3945d6c9dd932450e8165d0520d5cc6ee6ab64efe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
841df90efff1a3e364994cff600d50eb

SHA1
57ca70981e39530ec050cd089b267acaa11cbf50

SHA256
d3d76da37b806ae9689d57315379c04a290cdc5fab4a650db9d035a5bf6f2c38

SHA512
02489abee89f3e131c8a81cf8cac4ca69f6ef6ddb90be99f1da69a7810fffe78997b17e915ab64eef8cc69c17ceacf9e260d05450af689f65793fd4d55cfd289

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c40e18fdfcbf954e8a7e2d6f7a0b8a22

SHA1
cf0c7aabe61051ed03703540dc2216b1593e30fb

SHA256
118ac1dd88cef94a9b3c52982f51590418fbcd16303b5ad636bb1bcd27cee27f

SHA512
6d70b2e92a4479efde6ab7e73cf465f81b894eaff357416d0dd12d0cc4b1c0a80089d3aa2224bead749bed527624e3142107bfc69fe0733b1a639347e3bbb14d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8a3c3849cfd74da71e3fe416449d801b

SHA1
be416924f277f9eb36bb110144322e5bde048fda

SHA256
77e8b41cfd93db1e6f974790c5f31224926b2322adfe763f042b3d10ff4f63ca

SHA512
02e6d276fbdb3c214263c5c70c8630ed5a26640bd70aa5d3d8008ad0c606b704560f5217ec9c5902badb7ed424146c1453efee066967461d243a0b7c59c9913e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
38ed8574c3b0f645462dd594cbca3e19

SHA1
5dd1937da7e13e560c401cc37bfffc4652136732

SHA256
b2a52c2799f194bfbfcf8b1ea0c6e76a1ec404a64d79654fef893483fba363e3

SHA512
1117b7f6a25d8ba782776ebd55b753ac6d2ec2947fd2633af4b1e13e05d15037a719190c86bb3b6fbef89bb361e8984acfab09dc9e4a4bee48f6665f9ef662b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
593f7a8e74dac3f90e90f25980438058

SHA1
5be637a7b73b5515639c111270b1d90d21ab5ab4

SHA256
a7da74606dbdbb4ae49ca63d608163d935f655c2febab877082cdf0585edc391

SHA512
924c414996101fcf744f08f117c1ea33ff6d0392a53f82d822f991050d9151830a11dc0fd29fe8e5adf87e210151c9303296b08dce84baeb8348d7800aa039f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
99df593d85630f837d56220e82f75f57

SHA1
305022bed2c42c3c03443d86af563f90f4fbaeef

SHA256
66ae3e98a0db6c8a1b44229fb5ee44f3b0f81df914ce7ae8def735e92d070f64

SHA512
4f8e524e8330561c055dcb47fe7abf2e6d23ad90e8b845961e7424ac1740d81faeec251ff189f2208aa5551627a8a31e0a232b0ad93739cc7b50914e6cdeec1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ffdc3be17b41de65e90ea91655f52fda

SHA1
730397ebf201947c2d984674c71e8fc740240298

SHA256
37d07bfb2745ccc1556f310781ad787e28f7619e1075ae6a0c7e4acaf5b0d618

SHA512
836531702eaf9915fc9a5ad2683d63500676ce62af1c7d06a3eaee4e7199d7792a5517a97b4dde6f2f27e998c3d59c5c9a6e00ac5d87f63257e70bfd602bd875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b5da56338716c448009e3902a87c8227

SHA1
cc775ebe336c93e7687ffd84bd2c383783695839

SHA256
dfa5f643cb8cba56e197d0870e224783d7acc3bdc21180ca83060c0f56abaae0

SHA512
879fe8a4f3c1b84cf64e641176b898e118c5f608055564898d74565198e30b02890618915d9ba7325d94f065baa5a12fb281a3f9168a865fb67b836aaa4c3347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3d72d2d7c8dfcd8fe118d8fe2c030708

SHA1
e49bbd23d66a796d0a89e514a29fcfc4dd040710

SHA256
832d64cdab31386e4cfef6331e75f5dc3c028750e8989e013bda3bf76daddb8e

SHA512
474cea30a235e43dd295e9f692331e9e23a9f9bc616c045ddebfb71939c26059afd09a4535c8eeaa4efa51889b98b3d6a916ef8f986ac20750c8dcb812abc9f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
638cbd4ce71f7a48685f0ac9dbb2a857

SHA1
9bbcf3c69356208f130dcb92432f89fe2f84e693

SHA256
e8216598e488bd4c89b6deff5515e6dc5a533223ee4a274f77bbd996cddf767b

SHA512
ad343ca678de0ac0d7ff4dd1f42f37e468a630cbcd7f4e49bc9de04aceeb01be134b2d136545dd06cc5b8246ffd3d908efe9a37091267106bd6e0f7fff6457f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d1491cd25d15c1a35214d3a2a98ba4c8

SHA1
3cab5f4372f335041961f8771b77b3824c077e05

SHA256
920e7fb91220ee09db8e686bf12d811c7403212211f5ad794c560f731d64bd03

SHA512
4236a0a177fbd6dc5099c77b856909635a1e5c308980a8b9d9414f4355f48a6c3720cf1fcde88763f6eefec1666adfbdd9da2d703888914790f9748888df3b2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e5a03142686525410f7c202874a8062d

SHA1
93b1ec4614acef7bd6265c1cecb2f90c28cb6987

SHA256
15ef074bf553bc7b7099f07194dbfbcc60ffa4d06d36481941662cbd92c98272

SHA512
c82baeea330b98db193fc2f93db7f0436e241e7722958e092cb1daa9c67d57401ccfdc353f651fac64b5ba1008ee25b01975d2e07971f3dc4943eb4121bf2c3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
69b4f858e34a21396346c32d897a0117

SHA1
d6cd135f3a7aafb7e872270cda12a5ead364ace1

SHA256
d843fc02c7e7913f319097997e5d68cbbfa3f12208cf945ead107fe217b88912

SHA512
0f37e57761684402c8cd0d90cc37be919e195128d8805626bdb36d3553e561a6126bd7f0c83850cdcfaecaad875198d21830e924c2d3232ce6c747aa6c54f430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2956dc789a6281958c01bd3b0a8ad2bb

SHA1
136185497f98015127434319e9cc641d6e045249

SHA256
ee00c6bfb705dbccb96f3bdcfd1954492ef98d19b7ad13983ba86154679a9755

SHA512
f6ce3cfe8fe52417cd1ca546b89819581d88f0fe510abf2f5ea5670238313aab82fce2ce0dc01797d02b0b2734cfc5a7ce2f690eb59bd91a0c7130a666416a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
42e698554c9fa03aaf74d89331aa14af

SHA1
b3cf6fb8c0a63d61f0e3c94b40645dbfbd84c7a1

SHA256
6830f7fa80c7c993fdf6ba002e4f607a03ffd59ab99b76f763edda0ac9b7f66a

SHA512
f45ef5f88f4628427e0f8677c84cefb8bd6ab07a8e9d66d95ac39071de96dc1d98b7a3ac2072085ee92194eba07992676b4f00ef89c5a8e662023ed473426ef8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1a4c1b6ffa3769912e55bb0aba38b320

SHA1
ef1d979e4aaf6692c9600d9a1de6bd47cf3d83bc

SHA256
e931d0961b28ada187d72135bc4e3c21e028eaee3c8a06a18adf99155fed4aeb

SHA512
65a89f00d6d5241f2254f7826317189201bd4df8effc139cac96b2f22fe8e696606d20493c5d7a107e1d4f45b075977354448d0e9f4b85e920e087fd1ad5ce39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d17d05e481e0f8c0714239bd43551e3f

SHA1
36ef0ff455cc603c6a80f81dd6548ddcbb8505b1

SHA256
8e7d79109ecd795b4364c0c519fd525ea1e7f08c360180b0b22ec4cb99937c6d

SHA512
00045e36ddc579e01d2ad3657c6f22e59cda6cb9af1c3fc6e397826f1369c82b9cf79b922405ccd1c3ba7b4f50450ae725e48848daaf6ea2ddffc44e65285383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bf73da2d7888705b8caacb30c6b1955b

SHA1
d9d00f5a3df32ddf7a1373bc944a8e7b6ada38f4

SHA256
0b36d609ce9c29bbf760da6bed0046d6204aeb3b90d5733b0221c00531b5a7dd

SHA512
a4c1a6920ceb726dcd4d88fa3d23e9d3cfc23f7ef6695996e50f58f0b688913a096c992d62fb8531457beb424ab050528191fe4aadb52d5302e64694d19788a5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5b50a6526a8c0701dd8c9c44a1d53c3a

SHA1
c9af94d1dcc65e88dce4ce2f504535bc1e529b70

SHA256
471c4d9dbf7f8cda24bc50e202cf87d3f1a87b129205cbcd8eac10e1cc6a15e6

SHA512
d70d0dc9e244cc2c253174170061317fb1f4136017566db02de00b096f36828e6f23877a77bd65846038bc4aa7cb2490b42f90bca6c8fbe4f837b92c639f4a76

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
63afdecc3e595a92178776b9391daa9d

SHA1
5354c6b0f4eb63f3223b504c72cd46b4c1baa2ed

SHA256
23dc0c14f4f5d0d2617de126dd4e853bddbe1500ad483f53c0a386c29a4613aa

SHA512
2ad9e9f3912e40dcc581eefa17d4840020923c1c65ffddca379047872ae663fd30299e96a3e589fb834bb36bbfc1f4db7f21330990d48e5e71a3eb1ad16b5fb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
dc138e44f6154006fb2f96f1cf7dd584

SHA1
c76161db3c9d03989482e49a9370af57f6097577

SHA256
e92395884386528d8fde66e94eb6cd53498ebf0547765d1abc61e5c8ab0d91bf

SHA512
c9c6e504b536713fdd1524171b9b83400e69c8b46e5534ce41c7c452fd684eccf4df8b95ae73f034e2aea974b2d03eed41e7b00170e188295005da5cd198e358

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c659b4e6a5549405dcac11fcd4c26f2e

SHA1
7686f7c33553e4b60063cd40e4593d90110835dd

SHA256
55b29424dacc89b9a28f54eaf23b8caf486f97f85eee0cb6971eecb2426f1f10

SHA512
d6ff51f18c60fb51a39a928b689e02012cc92bd03dd9d39276bfe2d19d5bce71062d0d06c66584cc0734bfb4e61eb8ddaf702ee4a5d5a3118a0ec3c0fc6cdd93

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
78629c25a46151896bfe0805ad5997c0

SHA1
26af0814ca1a053f4ade920809f07f44fb7a231b

SHA256
c2f68c469640ff2388e13d161acdad33d56590021f07c3c64cfb0aa75a5b38e5

SHA512
12e3ba43b5e30b3585d33569e82bc42ff01603a464d4726e6149abaa76c0079390cf3ca97091a2711da5d88db4b6df7e46513e766b7dc5c8684c1730c6cb6a84

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
953435ad0aedce69c83cb3dca6d4182e

SHA1
48b35b7fe237641ed0ac221810050b23b288ffc4

SHA256
22a6e1df2a7f422d3c3a8445b0c39c9b7560620a4685b1af6eeb95653d90c0e9

SHA512
afde97cf246ea9ef3f665d8c420c0193de75647413afc6f83379c61d50cdb207651576ceccb7928d49547b5528338460ed0b3ea110854f96574155ea08a8dceb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3fdbc6a005ca2c135b7a6e8154952c91

SHA1
6652fcba5a9d39da978559e0a888e1dc7bafe72e

SHA256
ba45c7d6929da8ec70b7bc15750e80577b799da31f49c718cd915b37a66ff3f7

SHA512
270f5412da2f8f68a1ef690173b6fcb8af2f1ea82e1e31a0779bec0f2d742bd46cd39a36208ec5dfa865679fdfbfd2c6de10ef2a2594603572eb7496fe5de2d5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e801013cf0e5de0fd012c1177467bca2

SHA1
5e4abd83f215b5779ae2fd2d782064236bb0ff5c

SHA256
5c051d3fde44dbafab3f53c632faaedff730a063f22990afebca796ae23d4bf1

SHA512
39116b9cdae7ae0ba9671d124f6acae2c9469c7df9d660a4bb154a0e3c85b2933a6ab57ce213f8ebb9f1bca3dc450140b6a5a6a622a7f2b16527d5cd42a41d56

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fd900f2bf9110cb51740c2f92022f08a

SHA1
aa33dfbbf8733b476ed58d2d46758e2f4c9ea83c

SHA256
8dd4746e980002fee8acd9cf3b1b4f3dea224648256102452196e42d18e829a9

SHA512
9893c2ad105ffa8e3e77c6a9342a9300f44ba16aff9b907ad264ba96b065680d845552667f3810c1eca445eca6d44ed7d9aecfae22cc4ad591be2bed483711ce

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d5ca79227060edf185c7c9298fde6359

SHA1
3adf731829409c6ba383db6d545a2bb76a93f9fd

SHA256
5de1212b9461d979181d7e05d7d9d61d845f75f8f2e54f7b61f543186d29bb70

SHA512
2ce62a882f52c411e939dea4209274e16d6c5f21f3d21165ea5124174ed20ee6192aab0d68f21321a408491303716821d18f2e774e3e3210c46a8ea4563ddef4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a660dedf4a289baa604d424ac7f739db

SHA1
87d6aec8bd768f9a442af285396aad8193e03ce1

SHA256
d921fed0b2b3b0f5ee514ff9f6f7a447da783935eb861bbf91bcb696ca47d314

SHA512
a09135def65aa1a93027302b8b2063148a81afe187148b6615c3174581dd6586b4c700be7219deea9ea06fc530fcbb6ae8eaaba28405c8296daa10bc36c843eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c059bebd7568090df72bf1689ed48a91

SHA1
a08ff6439d47c6d9156371042c556fded7ea11a4

SHA256
ec7025af60fdd6b05062d917b6c0c45080d8490f5298abd85b354270604f561b

SHA512
a2d7c2829c6263e8852a0d25fa4c075a1e8b30ba3d737a8a54fdadd07d0ddad941c51ec289ce55f326d41323a777548d11ac5d8a5c385f4fe0cc6122bf60ba54

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dced32ea45a82301fed1086bd8770893

SHA1
73cd8c9f99def9a03bc413a7559ed53d314f5105

SHA256
c11f5d6c9ea38032342f5348ba6a7addb8e07d0fc08b726074eb6f1487c140ef

SHA512
8f85d71a0d78c238adb7ca08818eea1b1246c813d9c3f9547381b86516c772a2a9247db7b021b9f0c5272f291744fdc599f62e379fcfa07f37a80e89583af94d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7a3338ba411440a99c40ad1759b4f331

SHA1
5cddc554ac53186e83ddacb8855bdfa99c92947d

SHA256
edda3052216fe5e3c1a9dbd1fc1447dbc2647c7804d3b0203270f64ffe989c5d

SHA512
e1c51ff35ce58321bcb18bab97f06dbd51ec861668f61194e3e10bdcd4a32ddbebe8a5448004b0ef01023522493c1dac0709364bd4be131d9a585b35b8d56cee

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3e21298e9e363bedc282a39d180e6bed

SHA1
44a9ee667609fa9f3688fc4a5ca910431e6289c8

SHA256
c3ee958cd9504286eeaef51bf4a7e33c554bc11c42b38b371b434c1097488eba

SHA512
44326c4bd9725515663180f7bbdccf3144d4148010e0d8777c0b320c853744736327e56efa22d7f30cede97604443e2b1cb384c3a8ac7067f9ae47941fab7b99

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dab16182b0810c38fc175c0cbb881295

SHA1
4c72ded57f6a2af53987e8223f8fa997115091d8

SHA256
2f324daf2ca3d0d0c0d5eea7bea51f4becc37271f4a66c1a32aed137cfed0fc5

SHA512
fb16eb98cb3a6fd7babf3c855aaf80d7fdc46e8eb893489c78477196f6d56482487a4df789242a4ee7acad41dea7f5df9de6cf4fc0f35c90591e85f2108002ff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
acf7a3b8e25d12bc23cf861470ae630e

SHA1
990be056400c06beddfad90d2fa201de56a501eb

SHA256
f515396efd82667bd75f696990e63b0ab41ee57c0b253b33fe60a82b3098d62a

SHA512
78601208f9a3c248bdb208c9865f75fd51b2ecda1c5d1ec8d697cbb16e4260639ecbf731b65dedaa358075b3cb23cb29bf785b86211be2283558eef999f263b7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9488c8aaf5c16996a9a0312a1f79140f

SHA1
c0900078cbbf4f8287a4d94cfb6c61a14231fd71

SHA256
43f4d8d7fd8dd6ae463a2017c396d5b22e4819bec5d8289056cc7c2f36ca30ab

SHA512
c28e102b86a8bb36c036ee6aba1882df36e3e24f227fc5dd809e4f63d0e038f00f45d4f2a9af2581320f798877e8c17110fc7626fb5ee629d72c31fa74b7cf03

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4eb9667e16a78aa22bbf19fd64375654

SHA1
4bf0be01a3efe79a8e74cebc3607c4001fee1749

SHA256
7328d3f14d666592dcbc63e27abd6070b5b2b29c855a7a98258b57701f75a120

SHA512
0456c6c8f95c2c8be407a9ff351b8686604ed83342b49e04752f40fccd1e49387efcb12b302ea25ff4aeff3388733222c56120db846b6d8c1365af8ceeca26b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
94b29cf350993aa6d41ea03d97d1f379

SHA1
f2a1c18815293f24435ca99b98951164728dd064

SHA256
bd6db907c45dfcd17c6495938b77c8996592de90a93d5f8fdf69518f5691d3ab

SHA512
152ca73bda20c9ec27011ee6477409da397630e25c0f677e12661cdd05fb2b31b22060572a0e8507da2d54653e323a85676748a96a215e4a008534743d35e4d8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
828bd7f3b8fe1060f7124d6d135e9169

SHA1
077c3708c5092e1aaebf5e7cc3703d588d0be054

SHA256
1e19989a7b5d282bc77b5a1051bfcd0a8baf4a145d2c0a2340da05e5f0c9181f

SHA512
6ec076b9b951552837d0fcc98cdbbce1338832361b322590fcdf660485b7413dfccdc1f1e335a9f0fd3a1741cff95920f3f3a2f2e09ed3f1c141ffcad522975a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7773db9d37179f55cc56716e94ceff4d

SHA1
0856071e321260612759ce75e0508c30a148a3de

SHA256
9d8e6603aeb43ff86ef95b0eb0081cbc9d4d65d5585eae06653f25549566b568

SHA512
93ed013bf0419cbcce53a1bc8116f482dfa2a30ed62ff00d5cba464367ae95425cdcd9d2b27c3664909a9215fd820ec81df07677372e167b11e67d1fa83010b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fc3135c7de45b75dbfa16123b5fd126c

SHA1
b6a46c230d497018fa88aa9eeed490659446b28d

SHA256
d6716b059f24c0c07732777b9fe6e02c75c0362099de1f5522f6988c456107e1

SHA512
7001a526456fb35f6233040af2075cf408a879cee301a5ac2743da5246b1bf1369d12ef0f095c34cfcd9ca55687787a3acdabe1ad6042d1e2468903e2c775ef3

Download Submit
memory/244-244-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/688-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/688-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/688-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/688-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/732-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/732-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/732-610-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/732-50-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/848-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/848-614-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1092-243-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1524-246-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1548-615-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1548-302-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-262-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1988-300-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2132-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-611-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2404-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2872-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2872-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2872-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2872-304-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3396-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3396-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3796-47-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/3796-71-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/3796-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3796-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3796-38-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/4112-261-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4136-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4220-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4296-265-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4304-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4304-245-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4360-305-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4360-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4360-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4360-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4908-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4908-8-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4908-1-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4908-121-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4968-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download