c08afd8575b17fac1d87585cb408bbf0e996c10c8418e3bc86ce0c9458c7f18e

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Size

2.3MB
MD5

cfdb80ee3c357f7d27ad0b6de83696ca
SHA1

2fb24f93521ecd825255fc972b7713407e46c3bb
SHA256

c08afd8575b17fac1d87585cb408bbf0e996c10c8418e3bc86ce0c9458c7f18e
SHA512

4763d57817416c971f18420e2d973eb5c2b47eb544bea73d750f7f135a606fc09a69ff18f7b72d886d3cb5dbe9b7f3e7a066064a7e3927e14b531ecd26abde52
SSDEEP

49152:Kf3ZoG3UCj5qzWt2skmzb2R3NBHCYcMKCqy+XyTmp6IFDmg27RnWGj:yZP3UCj50WtQwb2R3N9cMKCqy+X1D52j

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3288	alg.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
3632	fxssvc.exe
3248	elevation_service.exe
1776	elevation_service.exe
3108	maintenanceservice.exe
4720	msdtc.exe
944	OSE.EXE
4532	PerceptionSimulationService.exe
4364	perfhost.exe
1048	locator.exe
2696	SensorDataService.exe
388	snmptrap.exe
1736	spectrum.exe
672	ssh-agent.exe
4904	TieringEngineService.exe
3440	AgentService.exe
2568	vds.exe
2428	vssvc.exe
1644	wbengine.exe
3132	WmiApSrv.exe
4512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30029ec3253fadf5.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AF181329-A87B-45CD-9D9A-20D884BD8E1F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fee77663ec7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfcf02693ec7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017c58f663ec7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000399461673ec7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdc354683ec7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a11660663ec7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeAuditPrivilege	3632	fxssvc.exe
Token: SeRestorePrivilege	4904	TieringEngineService.exe
Token: SeManageVolumePrivilege	4904	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3440	AgentService.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeBackupPrivilege	1644	wbengine.exe
Token: SeRestorePrivilege	1644	wbengine.exe
Token: SeSecurityPrivilege	1644	wbengine.exe
Token: 33	4512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeDebugPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
Token: SeDebugPrivilege	3288	alg.exe
Token: SeDebugPrivilege	3288	alg.exe
Token: SeDebugPrivilege	3288	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
3628	2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4084	4512	SearchIndexer.exe	115
PID 4512 wrote to memory of 4084	4512	SearchIndexer.exe	115
PID 4512 wrote to memory of 2232	4512	SearchIndexer.exe	116
PID 4512 wrote to memory of 2232	4512	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_cfdb80ee3c357f7d27ad0b6de83696ca_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2696

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25426083857f12899ddec1afc937fa31

SHA1
c398c13a4d9603faf6561c739353d799b98bc3fe

SHA256
fbb65116b551211163535f5f6d5ec2547fe4951d8b6f692d0f47f8355110954b

SHA512
e69745d211189dd660d848540e397f8163033ba545bb501bc6127cab0736720f790073245c4683a85e8fe1f0de5334fe6c12635991d86ea293b9873b828c2511

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8c9f479c868b733657ea98536529a00a

SHA1
64ab446e95c80fb0adc9abfd8fb288d838bf2046

SHA256
57a4c91da137f2f16ac357ec08c7bcea57dcfe47d365472cc8ef5a3dfdfff6d6

SHA512
b6c399715a9385f637002e4345b7d8364be535f06145fb065bcefd5c4c0f980359b53e164bde503e4a930dd8b356d8f012db640822ddc92ff50508a7bef8f711

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9d8556b9a8101cd755d0e4dd381faaea

SHA1
82b78465d4a161f1ceec4500b319f198c931441a

SHA256
0a514fe991404b6372c6a0dc655235a8ef504f003aa59ca255af946558702929

SHA512
26cc4e3eee3879143b811a7fe064976ae07938fa46350deba8c7f33ded38b1f74510234edd2d67c46768f3159ef889a1aa7b68618eb9024fe1861e2810fa35c0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
de2d061fc9d220f4ffb41643b9776aca

SHA1
b45ef3bae34f6d4036b4492947b146726bcb5127

SHA256
554226433a50bf4d001fa280a5ffe1b8982f3d63bd8ab770e89ec4110ae4e31b

SHA512
f2f77393f5df752301b31023461a7cc3c1ce7c891b18bba2791cf19cd48d855021c410309515ebce2503ee726bc6c73cebc0504bf49f0cdf9d57cbc0faafbe27

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a77bb9fe7f70bb21caaae8fda026b544

SHA1
55bb0dbe675a92aa0ffa75c3335a28b6849f9cd5

SHA256
8e6ba42639040e1fa0927d802eacaebd3618539b8898ea9045d10fb91f55e1d9

SHA512
5e9f8128f69229acf3bb83923955b1ae1bd93638489f9fad3a9c5078b1c2b40ddc589c59201f08d5b2c6522b23a3fd4d1835e557d87250287d86434346b2df3d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
319f971b6609486cdad833b6031978f8

SHA1
ff1380e8307c6de6f0c6a0c148989e6cee7b46a8

SHA256
f75fc6c6ce9f8daf870ee4b171f1eef74f805d45377a7e7fe8673a65c22ce593

SHA512
399ad206a197a2df7de8f258e4e2e1ff60c2ebff57568dc797d34c3682f515daea6f9a78e8f8ae3a6310caae4b575ee1ea0da244338b661c4f3225a2b10487d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6c6ffcbdb439b9719c28ecc4b423b5b3

SHA1
42d1755a056c7795dc4109da3830909d9efe52f5

SHA256
cfa138380d702ae990b9fa2f85744a74ef490db932734e434038df91662b9c84

SHA512
3fba5423af745750e258d99e55059e9737da25034881018743c7b84026842f5ead70f6b7bbd5d982907cf7291a377af4db0f9a9025d57cf9427a4960d4324194

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
110765173ca6005d6e7047fbee7ed4c7

SHA1
551d83ea12429f289c7ccb21dc9282e1341e7353

SHA256
0fa720e61ecff2c269f62f68e67364505e635eb1dafce083e452387507f191f9

SHA512
218f88e412ed3155036184dffd5202c1bb3aa84776932469fa045cc9c7c57fd740b0628ee5d01adb3cea9f60f6c39fc378ee6094a98dbfec4f2c09019390b9e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
335e7e4ea6b82437db605aa4ebf554b8

SHA1
3d95103c032427e38a5f458ef32989d599380ea0

SHA256
7605b5a6ea47d8b0f042966cb03d57bc9907bc1dfd7881dd60c01bd042b8bf4c

SHA512
e68312780718f34a4a473ee28e7b6ca0fc2ba31b8ce2672670a92adfbca8ed2ab89d7c60abf08a9e577daff85d2d562722eaa136c4e35638c69f0ba3ecf942ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6170f5be26b6b2b1d90b02007baebce9

SHA1
aa89674a3439bf3b07890d806b9bc454ad5e24eb

SHA256
564ec19c5d7a0c6550fd6519086813dcb08ff71c5ed9bd84e7d6b731b09ac48b

SHA512
e5e619e48cbe161bbdc136b4a519a73cfeedd98fb991a268a603a20fef919288025bff12bf3ca65aa22d35a7f4dfa203a290d6880825fcd55ab30a4b6ac4ebe6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
75558af8315dafd273cd6afbcaf23d81

SHA1
9c09f8fa9a7276624a741801bea3eef6387b54f5

SHA256
753c62ebb00020cd992f65e0beb5de4acc484ebc1ddff7f64117760bf10ab8bd

SHA512
de3d2cd59d7f919fa2bc45cd10780a24bdae8cd3773427d06f5169f520f3ad64d9855a80e00417a760303bbcf448782995b05f8518919420953e071ba233ac9e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fd3d6a92fa24676b143a0aa2d2896741

SHA1
5645a70744db2f064463ece630fc47ded08aafc4

SHA256
bb13ec9acfdf225dcde5b740be8687388584abd2ba3206b230f5db1637cf7e36

SHA512
a092e393b9c041a5777f490961595cbe2a3508a6c89e92d5f3b52df6854ea855dd57e439b8285f68868d947fc9af9aa898144114e0484950efe8e1bfb98e5455

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
295cac0488995ec0427ffd6eeb8ddb57

SHA1
466c21bfe3c740ca073175c1d842f64daa5cb68e

SHA256
6dd65721f0eb38170431f1826830db66211b49b823eeef98150dc209257a70a6

SHA512
0632e36aabc2ff48b62dedff0278e42bb931c92c24edd2452ea930d88a7ca4b7e55a01bb36b05c7a03e44f517dc11193383aa1a1b7527a91b4a795554091f68c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
975589c2b57343fbcb1f01b6bab03137

SHA1
4596deca4209f60650fba686c32ce44104ebd0ee

SHA256
df8722c0b03ed2bbcfb01fb9ad2007be9f0146d649eaf79260942be8a0a4b7cc

SHA512
b6e9e88017bae7079cbcfe99840aa18fb73d639368e8897f43f1eaba6e2c141c945e606e2ec93955715ea88b47e4cd571f7a4799310b5fe2647021e66267bf6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
01a2552d931948dcb82aa34231ba0876

SHA1
cbb33017c2581f46af7b6e14077fbe59465fe2ac

SHA256
99a876974b42ceffc0f74fcaa2605a1ccfbfaeb60e0c3e361261ca382bf1c7e9

SHA512
0b3ba62343aeae1f8b86a5663f391ea1cc3bce2310f3a679682e4b344bb04a482e1c773388bc9ee6749ce52d05b1bfb9823b8a8b63229e7f364b0a680af93fae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
231e9cd0ed265248935f11db6752bc97

SHA1
5c65f963585a4f8a8634cf2e05f94f5751138efa

SHA256
49f18f29daec35cae57c1397bd79b9371af85bb97db8fa8f1830ed566c607e9d

SHA512
c5e96427489bd3614b7fffb1746ef8b0ccb621b21cb33ea55f9d470f02aff4864969ba22bafac0f2e1fda48bf69f42526b2fd2d90a01afe813633b39edffec6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ec1f28000fe7be6d852d5faaf160f447

SHA1
d7d2914608538180a5247c98b7950342bf8794c7

SHA256
82ac8094f2adc89aa26d46fb53bb41c44edbd9d10d80f9de14673ba1970aa60e

SHA512
9d9d1ee605cf798f4873330500552c499953a53a29e871a5df1baee6106a6ff5c6637a08bde325a94306db56a4c23753de9df1be6ee15cc8f4756bacb334bccd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4915491beb15cf85d4fc24e5cd74f31a

SHA1
02e3b55a2d252fbba6cc2b8108741068150108fd

SHA256
fd8aafad0e9dd308d362db204eced85e81812a0e114b6ee7da923bb645471998

SHA512
bfc2582bf374e62a05e56f7a221c86251dc12daf4aba7256e72fa60b4e8beb82bcd84ee6452c907b9563da0bfb78067c531f3f1e8fe16ed834597dc3accfe33c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
daf2aee6b4fa73be9938aa9663ce47c3

SHA1
801064ee5130207438cd4bb287e83b5e8f6a6da0

SHA256
d7dbbfc96a121be4ffd4405e7ed3b69fe88f18c73c8af38a6f6d8ef3d76112c9

SHA512
8d5cf1855680e5227af88fe38303ba23f9e2e94b564fb44e4f0c5436b7828749c97fa469d765f7dacf0a580e3b4bcd8eb4e97fca9a72f1bacf8323512fc2afe1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e4f2b5a49128d5633e25d9c8c0c58f3a

SHA1
6e31f8e8078c5f0b042eb484ddd1b542557a53c6

SHA256
47e394f7fbd0e9c0c6dd117eed7e927f988e52069c1a7b6591a01dbac89cb5cc

SHA512
63d0f54b9262f026c4934e06226c1bb1e7be8cb4861a251972b3ae8e901eaad49272a08639afc8de910f458e6534cfa1e13cf7ddee9a2cc9828b842528a9f6cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a172ad0fcfc33c8844d9e15a48238b79

SHA1
40dc311b67e9b70e1a4efc19309d610f7d671664

SHA256
5657d3d5a00c7062c76770212ef5453c128d7e71c88fe3caba51f86dde67f08b

SHA512
79694e871627510d1cf2e1bbb58ab9233609dfaa76e4166e44630b56cb9b13b2c7dc110e59bb2a4db7e53043d258c5ac5b99b941e26810d81b0304dfbe686051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
114db9162164ed6a3cbf12e53b2103e5

SHA1
1a5627207937109d32090b59f4dd2959a15f092b

SHA256
0a72bdba137581484d6782aec95ee45ae19f84d40334c68081a8699fcdf2dd52

SHA512
eeed8b5ec25a6570cb75610ac2f5622700fd0e37dfe53c3d46528c4908e2bc87dd947f494aa5dbaf1b90e33b016f919a9aeb0773f066ffa2f9b5982b250e794e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
933b508ad79289008ef3e2a729884666

SHA1
48518629db6ddbbe081e6b5093a17dfa6b287d27

SHA256
bfb9b56dc384988c479d528efcf40e837276f440dbb83301df2fafef1ef1adb5

SHA512
7bc96911ddd996ebb1b9d204829122401255ac228e90dbdf897ce48a18d8bff1868eb5dff60786b6040d45ac3fa9038ddfdfd3e2b02ecd00d09cf44b256e78eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1097e6f8de1310a4c7da1f8cb4ffd8cf

SHA1
35d243b3d3e97b1f1617e19d3310702fbb6d598a

SHA256
128bee0abad6961ffa8d6f5983ac011a83d74b02e99fe63f3609c6f6ae143712

SHA512
0ac19ad85563e35ea3978ca691cfce0aafa7f90acd83f041fede0bfc6b4628ccdf2e5e33eca9427afd98d5cd9bab718af143537bd1dcd6f3c74feac448fdc026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
708ad3d0d27fddc602a98b5d1fc699c1

SHA1
74a621c2235e8efca65363f1a1769489eed3c066

SHA256
21f6b4cf5b19508b5525718d877ab0b0cdcd8dfa31f83bccdb5b42a1a5c684b4

SHA512
01c8342510371319bd887c358693cce8423b4b42ada942efdc3a453d55005bdd2db4dd708781dc9be5ce227c7569a4b807d83b997ae36d77ba6344811c0e99f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2a99da7b15b3d229c092e2163d8a25ba

SHA1
932eb991d7d5cc268ca29db02ad86db7c550d3a5

SHA256
ce993c756a63ad5582df43bf3b776616b58c0c7210c5d7b4a069044f40e25c80

SHA512
c2c7c1728872d08932b7213cd456af6edbfef70acf45722dbfac5930594f7c9a397373d1f8109155c0460c33ff1198692cb194f300fd6dc80eb92f5295c14b3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1014c10111919b431ff21d67949b9248

SHA1
40ac9e29ddcee2f6edf584762c88a9f0f85c5d87

SHA256
415b2ee61a4b6d0cef5126fccf8f3b6259b81c394ecfc98d86f0573760c57505

SHA512
304397b527bc7616549046f8290ae63c0b5cf0c13fc25c6085eea184652c2417d314ddc2061dd3684947b9c14828b22e7490a7c2e06d9482bb798b1640158a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
53dfcbb77c16b42540da35abadc5809f

SHA1
80f5a73b514a39363af821c18ea0dfe3ec9f7a7a

SHA256
d978113076fe9e80670533a0c556bf22ec0ed5832b8074a7592f8c9b1c017723

SHA512
d6d4be9d33144e99f40b4d3eab6ea6550f6e414ff1a6b7f4af84abb4342fc2b94f20e6f1927b0a9b08f3b8ed48ff2e908e930d2a568e6bd92868d2ba8759b794

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ff077116af67f3d7901fbab1986cedfc

SHA1
9bcd3bd3c7a928a9119203951d3fb955bc3e440f

SHA256
11b3005c31bbe07a0d9eb5d78c7175dd5a01741cfe4c3885a2b22492127c1737

SHA512
70ab18617d112faab873c910a2479c4661cbf99262b601dbe6a993c04e0ee5eae85d053c0c1a9e38fef0c05d0f97867f8cf7bf3422e0cd4aec9ad127fa7f89ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
c7470520394d1ed3004aef156eeb408d

SHA1
bd733acdb65c237b4c56be55bab9d810cbc131e0

SHA256
4b2732b448f2b7a5b1b494185d0c4ef257cc2b76a6ac1457058a6b2413e5d9af

SHA512
350adeb67805e34aced55b36f35b5f673216398bcd25a1547112b8c27f381021f6e96733a7d7cde31613a856209707d0e2f1d9c8e45341b79e5bf7becd23c710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ffc495996e373f57a74958b1a961868e

SHA1
524b8a252d3d4cdad3adef12685dfb6764ac0732

SHA256
9db0b8aa963406cd5425de5ed7e36f9d11b91287fe729fcdb1da202dd5998786

SHA512
ff3e7e35922aa1e27b672b1fede9f8b59831ae5403b467496e9055799381a8c5d0388813cade442fc825138153758e4c585461f9ee1ffebce76b740b5fef5858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
99b4bd9a9b2cd338c271f563e2a9dd91

SHA1
b6fdeef1400f6a43a0b18d210a359dc1d306c80c

SHA256
324024c47aa6f3574aa697a8a6cf1094d6845c2050cde037351da736a7b7f94e

SHA512
c97f45fc2c868f6b7e98d1952ff0ab6e095672cc5cbf9a5929c06a246fb63ffb291e5c7f5bf495d57546658a6fcc7b786b982bc054b830c1c22fb2222c2ab1b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
108bfa4737f0775bf17b0adfb18c2e7c

SHA1
e2c08bda9f69b94be5ad770a36c1987a0e8eece3

SHA256
883a223004735739ce60f3941d172e1e10209744c27c551b4dee188f7c4a4054

SHA512
c79f92010d7809c4d3f0491136309a16d97f96a913a08d789e62502708680581c46e0122d697996623d1d0977b0e31c9382f5a4a8cea082b8db4dfdac7f4c2ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1bf8d924b05905eb675eecc17bc984ee

SHA1
f838f26bb76f8a9b6750b73e9202d033654ea52b

SHA256
3fa27cb50b133d208b877173055035a4225a741338a2edc4b435ca1dc255ca42

SHA512
07571134d4ff8d14afef92a4b9759378a6835cdbecac3999a146897e585a139830a872910e619f3147332f9aeeabc7387f536f38ee373e18ce22bcada171a53a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b1044436ec54af337e3890ba021d8ce3

SHA1
93b008dcfd5d9334533970b422f5830e6753b5ce

SHA256
d6d7dfdeb9272bf3dea5654fe313fc62479dd6df4e98d091c8bcbdde96bc4d05

SHA512
5dcec19d006a36041c1c09ff55e3f65e769aff124260786a433d6ee52d326182241d7659bc4578f36951ca9f3eff018ce87a562efa73fb552c3fc222a4bb01f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
495f4d5586fe3e5bc4ce958d1dcf7ea9

SHA1
db234b626506dc3943103222fd4f3173cdb1f4b4

SHA256
849734a0e730bc60728ddaa9df580d276d181fb2d308f9cd5d18124103b8d9af

SHA512
7d9c7e7cd87b8ddf09820d085d6316f52282314c86a016d57f902d67ec23fa347debae8399c7e23df31095a489862d5c6877ebffd73327ff3552d1f50ae2827f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3343faca7cc4b8031380dc025402ba02

SHA1
5e1234fec3e030d01cec57abbd896ded484622ca

SHA256
023fe87d40edf5238e87ee9b76de0e1510743389fca68c6d4042a381ef74cecd

SHA512
9ef5cd25d2985c8402ced476fa186be0d0624d3e83656b1db8eceb9473d57683374eab9253ac903bae59732a4c9d966f907e5b768b6c9d5f2bba0db799f71357

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7f3245e4bb6a9eeb943c0189a05d3921

SHA1
25595e3077f22db24aa81803b268d14215ff8ba6

SHA256
91c1438e3fd8ed3a661d8b9c095de795d1c1026c602ce4ee76b5845136b91151

SHA512
9cf1d5a8243f282584f6c688d232ac92b8622803e6439c10f07f5e006b90ffad1c31af4ae36959a399e43136266c01aa922249918265dd4a7cc7bb38c8b49fed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
98e24919d3973e8f6a592e663a849ace

SHA1
d67e5414db0845e8c4d2f00c25cc442c76783829

SHA256
eba39ef5e0babaefccae1536e36da3b481638337b790269e3d72a8b7643644a6

SHA512
727bb53498d8c136ace20776b57f5f5ffcfd3f2a8aaf0ef4a06723676bb4ad31046f4db8ad8865630a1e20c0aed7835fa4bc02a91ab32a9cbb297abf799883a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3eb87d071d7c38c7f025285bd2acbc46

SHA1
38ec15f3b01bd9fdd249cd6f0cd505c740871a32

SHA256
eee149bfd95e8a5e235a90aa89fc2f5cca6546b5b0a44b5e3d50f67ebe3b3dab

SHA512
41e027d8689ef7ff36edb6a7a4a6d31c36eff899078c811022b910a7fab2127069448492f8b1f7f1f3da80d5815e0ff85b39340178e003e2031d77c01379734f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bff9c8a6f71058cea7156e25b367bfae

SHA1
251f643466f6a78c307d6895caa7e8b7202e8d88

SHA256
179bdaafea33fc7f7c3232b6768fbb726249728890a91ba2d1c72426d025f5d6

SHA512
e89d4452a34fedd018a9f523b5d08160c519ff57f612fa786c38a40c2929764537477fa0ee8c6751799b2c0d68004c0b25618298938cdb69d6411df927a3545b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
37b64dd3aeb2eb632946f8ec2c4bad64

SHA1
5a7c9412ef43124cba3147b6663a684e660d58ec

SHA256
15ec5822ef582ec5240fe47cf35854d72b6139f58eb4184fd394bcb73c97baa3

SHA512
c4b7fea6ee0b2f1151621da2bda5dd31c9be22535c2aa7f171ba16ab87079731c336a8bb138c0b76f57363803dbda516386be16d223fc520f2046c4836427d9a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a53e649f505e6acf341b2ac5c8a8d0f9

SHA1
bc666690b241e515b8c8bc133e3a489e920709e7

SHA256
da19c7b05558935220939d6e0ea5a97baa83763be3533e2f170b4cde2b14287a

SHA512
c23d6f05135e8fe72ba4c46fdc430706f26b282224046dc68b9c46a307ce96fd8d4020ee763a4a225b6a216f795205debf01ff5498b26c18d18e91554d52c6ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1d91b2cc8650c0da0c5a070740b938a2

SHA1
fe1d9779af49960fd6e167b1eb243352341826d1

SHA256
2dc82724c02cd7ec23900b336b3f88264c31be8c15d8a6583e1e0d37bca5f5cd

SHA512
aa7cd36ff9f02c64208280db988d37628c68e57238d5f501d537a5128246744545fd3097a18734df17375dfa425427809da8adf7ec7ee596a80ba7ad464bfa6a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d36be2baad06a4c25dda6ca4e2b7ecc3

SHA1
d7421835ff3b223e52a148c7f74eb4d8d3a9781f

SHA256
792813574a3959f59b91a36885023eeb9fc3da7f617d4c21fd0927a892db75bf

SHA512
905a03c6ccbaa0fa08a2814c996cba9794803e9f8d351abe78de59aa5fd370f2b8a12619c1e46fb7eb15e9b31f163e9ec5007c034eec7d09e372121a0be6415c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8c074b6a77c72afaf97492c281b5e459

SHA1
ae0b5ffb2962956651a3f334edf92e09f109a76e

SHA256
6478ca7ce8e052f5da58fe703efca47a59e8c8b8381ddba0de60d6a3cea301c5

SHA512
a638c7e62d2eadd91ea980ade3b70f3526883a0c23375890b653bac3d4e1e2cad4670abf04baac4382f095cc47f587accfe59851eeb91c594a6900354bef30ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
04ed2d36c165f9e6cf6739e265a53867

SHA1
f9f760a9e82be3f26eae5ec89ae73f69a1335dd0

SHA256
e28ba1095605fa7c48ec7e01aafeb40c2235cce3262e951e155966854d8b491e

SHA512
06289a2066143102045bf2a5c6b3b0279955f226bd67ab5f7a2d7fb1db42b4397862ba5180f78dc3780597a3b4a5d654799b15da79b45595114194bed7cc0f27

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
adfadc9ece8b523896355bf1be3b56f8

SHA1
7d5088b6aa9e67b8b44d4220c6a30342106dc284

SHA256
0ccaadbbd2f49a784258e5f7c5814aebc5cce1f1787e1254a3662a2b0686f196

SHA512
3924dca202c84eec653ab60bc021c99b656021bdb37fd20d923ec73f90c7ecfa44cb58eca1c14b13fd7222a75e8085e2f9600abba3f7118939b47675664fb9da

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
45fbdced73db7ff1b2580debf4b1fc9c

SHA1
911ae7a4ca6c990f03ee9f7f3e7c86e0c0dbfac1

SHA256
43e605c356009b433762ce3cbf1f203d08cd21ff9dd874792892d1ac1e9ebf25

SHA512
931a4ee933c7cbd37cd8d0b30fa42711eee091950d2e65bcd5e029bdc984605c8380b62013cc61d48a87019fc4c856f20e065029e01b02d882cf4b7c2f9f7795

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da6f8c912aaf90d45632e17ea4b46cf0

SHA1
0b19bafd8b2e199d4142c44e288879dc1e46fb23

SHA256
82ddb1152ac55e0fd9525d1466e77f3ce8b0168930f9c2c303736872eb37f49c

SHA512
8a09f5c1eb0a5cee08d5a8a3400f68fcdf4e014a760c51707374cd4ab5dc595a97759b4bf4ac539fcde9bc66771812e3913b1b70c0ed5c0cbf372fc1ef07bd08

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5f9170e689ad6f6f657658c4d2467f2c

SHA1
81dfd90e7255adcb9a5c8885060391becbc87c29

SHA256
8ff84311048b98115f515d48e1dd552ca6a10117c179b72e88ad9b25a633ed11

SHA512
a263d122d1ab611ceebdcdc907fa6047b0dfb5e256c3fea12ddedbe575910cc2d0963f39957bbc7d0ad0b76a5160c0816ea6cc32c2765569b383ec3702ef654c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
57189929e5f1c22553f230ccf6e0e143

SHA1
d0b36cb480e9b9be378ce2df2972c04132fbef5e

SHA256
da69749c2f85d6aeb792de6f8521697e98e83f884bd39f6fafc631e8b3aeaba3

SHA512
89355d1b04c13ce1c2f3788688a6608b30170ebf930a3d0f217992707862a7d8cc770daeccb91eebea6c50feac8edd2136dfa5d427ca533716a944e6a083cbe3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cc43a5040d7d2511ae76a12eed8d0d9b

SHA1
c7bc1bde16da2ed0c03b2fe50f125ba3644be1e8

SHA256
65e931d80a5579319335dcd2e3f934a64d1655f03516c45b945515cca7ee64fd

SHA512
d315199528841ff1338232b4bb9eab41b2b730ba41ada1e3be5dba48b05e4f0bef264f8fb2a73f2a701d406ec503b5f30ad94dc4384f09eb80ea9fc1f5c255af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7f878f3c5e5d49718db75e6d0b4ad66a

SHA1
6c2227e651fed53d1256c4068308755ac0c553c3

SHA256
e8fd47e412def9e8f76eed1601ffdb4cd45253ee931099e24dbee9707e31bb44

SHA512
cbb295d98bcc6e902e3fb1791254125df3dfb0bf7a6ef79f725df5575ee07deb06ba238ef6bcee5b42736cead65461ced2b467f061df3bcdaa57144561f9551c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
81fb81bae48e942eba28c56340a7d6d9

SHA1
c19b0d04509b876a9474f71b58458cfff8d4c040

SHA256
3a3ccd715331c38403bcf07d38ddce67877f5e7ee3f5abb63a8052d4675bbdbc

SHA512
d184756131d8bed5a8bed601b8230eaa6968a98468cd1c9b2935fc0f92e71deec6a935b21eb6a798e1ef1dd2c320227a269983e1e84ba0ecaba31d8127654637

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68182e3608de0662331a32146b906f97

SHA1
952e6071c02a4129be2e40ce154588f0f3f07dc8

SHA256
3afa7ff7eb4bf09dad8fd15af199498fd85d28dc739e51fe981a323ac8c37c58

SHA512
18a1f5dddc7eed8ed66a92102e723d498a879fd7592b13238fe318ce227d5d4bf9d3ec2276a36532d1128894f65331582a2db69bcf67f23aed5c44b51dec445b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3888e66ca60440b6dc4e0ecfb3901908

SHA1
9e134f1d26aa11bc227b6909f46eeafa1d35e259

SHA256
7ac1498c9ec85d30a5baf1d2ac740d747baa5cc831a24835870bb29979854d44

SHA512
b9d7d8a1e22a52243bbab0b0d90746a9579c4ed9199190fe6e3fca5cc577ee60c388e0e894130f13c29e0cda1105048ce6a56aa2235b85d5ecbfedf7050ce746

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3c5570191054451aa424167cbeabb86e

SHA1
64bf3094758753f56e79caddedf28e0f3aace4ee

SHA256
73f2a2f91bd2c24fb7ed6790eb339cef3a9bacb8301961f94ebe6cf1b172fc5b

SHA512
4abed5c0dd4a46a21990929cecd5c05972a656142bfd88d5a5ede136c58f0b46995f7f20fba45f6b74be9a8b4c544956df059a4261657b7920222739213a5074

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3092defc9bb7667911048edc71baf3e7

SHA1
98b35cae6c5a19eb484d292ec7fd23abb9e45724

SHA256
6fccd00b2d4063c42a2a0e4e733aec8787370bf410d3a10a1fe2218aefd53ee8

SHA512
b9f6c8727e69c69d7dc06b15c997b324f66865954541c7882378905b5726b43f2b5b7227e51e1757aa351fd93a24eac849ef221b6e019958934a2e8763c316fe

Download Submit
memory/388-161-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/388-386-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/672-178-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/672-481-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/944-224-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/944-109-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1048-138-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1048-251-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1644-530-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1644-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1736-468-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1776-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1776-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1776-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1776-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2316-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2316-31-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2316-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2428-529-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2568-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2568-528-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2696-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2696-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2696-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3108-73-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3108-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3108-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3108-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3108-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3132-533-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3132-252-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3248-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3248-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3248-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3248-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3288-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3288-126-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3288-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3288-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3440-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3440-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3628-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3628-1-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/3628-100-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3628-6-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/3632-36-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3632-42-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3632-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3632-47-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3632-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4364-127-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4364-239-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4512-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-227-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4532-123-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4720-200-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4720-88-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4720-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4904-195-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4904-527-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download