95884c8d6a5b254e330a1e35b19ca99eacbeb147fcfb6cea2af1625e2d4303f5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Size

1.8MB
MD5

68daf21a54b0706994e91eef07f5bc25
SHA1

8eb8b61add1a99dc671585064cc9c75eb0e8e7c5
SHA256

95884c8d6a5b254e330a1e35b19ca99eacbeb147fcfb6cea2af1625e2d4303f5
SHA512

cf5ab6ae3456b744ba6568dba23afeed9581dc99bbff90a4496cde7f0076fe8e7906fff60714714ac3a2aa70885a0e786e2c053e1dbc38340b309a1523830372
SSDEEP

49152:yE19+ApwXk1QE1RzsEQPaxHNIaB0zj0yjoB2:X93wXmoK/B2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
612	alg.exe
3808	DiagnosticsHub.StandardCollector.Service.exe
3704	fxssvc.exe
2928	elevation_service.exe
3492	elevation_service.exe
4492	maintenanceservice.exe
1452	msdtc.exe
3496	OSE.EXE
848	PerceptionSimulationService.exe
1456	perfhost.exe
2036	locator.exe
760	SensorDataService.exe
4188	snmptrap.exe
4460	spectrum.exe
1620	ssh-agent.exe
3628	TieringEngineService.exe
876	AgentService.exe
2424	vds.exe
3508	vssvc.exe
3056	wbengine.exe
4740	WmiApSrv.exe
3912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7bbd0a9590c504c9.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{81C44847-CFD4-4467-BC43-4620F6C2BDBD}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cfce2e57fdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e474ee67fdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f01012e47fdeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fa931e67fdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000858546e47fdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a5318e57fdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeAuditPrivilege	3704	fxssvc.exe
Token: SeRestorePrivilege	3628	TieringEngineService.exe
Token: SeManageVolumePrivilege	3628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	876	AgentService.exe
Token: SeBackupPrivilege	3508	vssvc.exe
Token: SeRestorePrivilege	3508	vssvc.exe
Token: SeAuditPrivilege	3508	vssvc.exe
Token: SeBackupPrivilege	3056	wbengine.exe
Token: SeRestorePrivilege	3056	wbengine.exe
Token: SeSecurityPrivilege	3056	wbengine.exe
Token: 33	3912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeDebugPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeDebugPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeDebugPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeDebugPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeDebugPrivilege	1584	2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
Token: SeDebugPrivilege	612	alg.exe
Token: SeDebugPrivilege	612	alg.exe
Token: SeDebugPrivilege	612	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1068	3912	SearchIndexer.exe	113
PID 3912 wrote to memory of 1068	3912	SearchIndexer.exe	113
PID 3912 wrote to memory of 2932	3912	SearchIndexer.exe	114
PID 3912 wrote to memory of 2932	3912	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-25_68daf21a54b0706994e91eef07f5bc25_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4928

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3e650ab02a00765aabe1e176c0f15187

SHA1
80ca25d4053e15522831d8d8a8d0a65acca1b0c6

SHA256
e87d70109dbcc15882a8beda277b5210c866a03f959151933772421360c2eedd

SHA512
872fb982d7c24a00a4eff9dea2edda01e973fc38faf32b2620bdbdc941ae3b203e743aa65c1369ee3dd4709810921e31197b1307b342e54a39dbeb4a05c48be9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
07df6273e2631adff829fb45de5f737a

SHA1
2523d02dd6c875500924f5960bc662437a32c500

SHA256
f1d5369d955ecd05a24c1ac028f839de9248688a60a8dce6ca8b3cd891a036bc

SHA512
e21471937007037640e9221b27c340603a5c57496e94437be35f0751b086e8cb4bf4fc6ba68170d70b39d4192c4be9567ca3acd8fdede1b3e8d7b9684fcef086

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
80bd12e8b69989dcfa29689331775227

SHA1
be018b0cd3d98acda7dfeaa9fdc62ccfd429d074

SHA256
ec022c1350b263a5c5f8ee1133113cf0836bcab90e69f468b2ebc42f969c6ad1

SHA512
21f6d4bd3cbb35350f5b5251249142b2a822148b7e497dc1d34c8464009f531fa40f1df500c32b3d8289cb6bdb195f84635ff61e7d40060b42e16d62e4b00234

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a88b318c7dfc8924a68f8baf7d38baf1

SHA1
4b737523ea229cff36df424e576ba1f0355990be

SHA256
02d85f89dff6e35225326cbeaebddc816a0b874348ea98c8aac64504f2aa2c78

SHA512
1be2ca325bd515ce7b041de0a7dcb79f4e42f2ed6cf76916b347e58daf03c0d2bc87135ea963ebbf2aefc73b0d3a77e5e34d0914d87e977920a4fe41213c6ba7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b40ffb538e08d1d094f1917b8edee17f

SHA1
240cd42ff399d2d57590a260a59cee7d36298214

SHA256
4527b4e8274c136a00111ec6d7830ce3664b2bb8a778d699d103c1199b80b45c

SHA512
98d82879617af178ef0fd3894dec1a8349227fb9cd7b147b2efda1e971d754a41608bac8d5a2279a1a7e6a379133b9f4a41ccd37f842f6ab510b6af735d7be3b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d56c995f8dd6fd7421c6a1d1382c7e27

SHA1
6a1a4e8bb6c9ec12092b9a2eee9559761a2c98ee

SHA256
10eb64a5fb7561beebf14626e1a4d1c574f8719bce24c6840b2060d9de26ef36

SHA512
d288b73de029fc1dd8fbebfdba35ffb046ba3ab05b00e838b1c77df20f9392e066dbeff2b2e88793b01b2428674454536db15dac8387b95ceab0f6d7e92689a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
259283b758cdac83521db60a1847f3ea

SHA1
11faf6a07d07261ed5863edaac44736c75c37dc5

SHA256
14ba63eac329b8632d3d1d5b0ae132bd5879e0906822706b82a35d68d2ebb738

SHA512
7f34dedc5f48ad897959d206dcd2bdea8aa2127a8b8bff1e75567e21ba35500608ceabcdc17ab3f05da20466aca6431f4f16d5663ec6fcf989cf0a4a28a21426

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1925e7d5cd4e0c0fc4607f0db1fe2031

SHA1
158aef6a43d3e1e811a8a9988f5295b9d4c20a68

SHA256
f1c6000b3feb524f7ca3b0141b0b26f724d16105e9b263df204aca83e213738e

SHA512
a25b0c5d716afd38cb98663638156eef920ea3e92eef87467d409883b713b3f43491aa929e49bb3d85448264c243c6a836e923276da3da48c1178d6aea8903e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5bbe3b0515fe076d00edf41f05e7eed9

SHA1
4c85e17c3242362a4410d6f9565e36c7dc6dca30

SHA256
b563ba4f743eb5afba529580b5cd6d3c954e37c9396e55468aae2d579036fb24

SHA512
34ec1a294e72143ec900398c95f0c67dbbb737371f15fc67029a70c18fc262bfdb93f8b30669fea4a009a38d4be1b6769afb44c4db093a79e59a612a65e710ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
169c26ed84e242c9ef94f9033dadac2e

SHA1
dab2fbc72d1a8eb238398cb5caf35e4f68496886

SHA256
cc6afe0b677ce2353dfe0af23353ba891756048d664438a6edfe7138ef0f6181

SHA512
615bb1e00469311532c79df489716ad562705c393c76f57ded06c7c8120f430b4f8166cba77d0efa9a69eb7e85b1001e380eb8562597a774a491dccaa07ee389

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1723b5c0961775cc2d9ce3d5f80aa94f

SHA1
b647f55ffa0b9cdaad608289267257393f36fc6d

SHA256
7683310fe8685df1da5fd6e8f981032d963212dd528caf636c2bf53b59bbc7b4

SHA512
adf23296dd09e0a414a4b15b422de886f6ac8688653424029198337894f0165051cae759b833e5f617f29d5c2239d10c0ec8e11a3212462319f961e7f9c192b3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
62d1ee16afaa6800d38bb6a2ce23c4b9

SHA1
3a4be19a9f780cde4e2d6bca609a5b127d8db700

SHA256
59956b4447733b8a83e7206aee9fcb9051d2c6a49f82a9394884ec82d503c71e

SHA512
6631482bbc76a5bcebeb88f21394648a7f9317df8e0372078a4a14276959d86aa6b77ada78c482723c47579e01b7290d73c9b7f9174d16944e3f76c6e0eac0fb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d11560d550363ac7a5c7a66b33eb9c5e

SHA1
9b26fab68d09fa2feb1dc90a9027b6cc36c8ceae

SHA256
a382cfc74bfd8c8a2ba8f7b3079431f89676f3d4d341b7096276469d259cc2fa

SHA512
3afa514ab7cd931426fc4ba59c12118a01d617d4a6d83881d8c341d3e10df4830dbda722f4b0e639f93d5721783129b39f3a36d7921bca3e69197379cf431547

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e052e55d619d017b61423f1c19a25a89

SHA1
355cace7108195964d7b758118650eca6e980973

SHA256
935d168782e8b038770a27108813b3f631054f857f8fa97cc8dd3f4c442c093d

SHA512
32f840388a6b1b013ab5e579f1a0329b3111eae3bba6d2fdaaa679a1eb2ec8e484fdb0c67cd87f8686bf12e04fbbd9bca2bd5b867e1976fdff7aeb51b2d8719f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8453688f4d2581fd9548fa5eb59ed4c0

SHA1
9091f5709e1dd11eee98e6c0da9e4aa348f08a80

SHA256
510074dd988f6d79a29a7fd5cbb9ef419d62b0525aeccb112cf3671349660701

SHA512
9e43e8ebf22abf6814c0b87e600b44342d40a18bd483134d8b449ba11548c2e073b529852c4bdc7a0cadf8b3ca04fb394f6ee7d8b6b3722f9b9f4b9291aa6b26

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
754e9eb51f821cd2f2adea313f3499ed

SHA1
0eb69deca33e8807c3903c8854374e08a719f69b

SHA256
78ad25651caaec4218009082fc7004c24ddf9e5c69ea101966b6bce7a38d4582

SHA512
d3afedcd47b84ddf33cddc104a53fba40c3cb3f1bc25d21eb6176f6d77b1cd331ec4be5fabc55d3049d317522553ed616a3df0e46bb2d55b591ba868961d2347

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
666fdb6b781c78fbceeb2b7c93998737

SHA1
f382d7c951ea63eda80890c60e2880ca325d5d8f

SHA256
ef4fb9df9bfc4f57eb43d5799678520c2c4b1942ef5360b79af624309cd8f6ec

SHA512
c9a42e55677c1087df7ddd05bad8c7d2ba6f9ca984fdf73109340315f0967bf54b88f87070ed20c8ce1d4222f8d19e5a29e99b1156d15911a0123c8b513d98fb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
d9572d04a4a290c95267cddfac5d8cce

SHA1
b5e68e88d8b6b20152a180fd898bf9728c54c16c

SHA256
581a8f9a220539957388abab00e9169273b48ab2e2e4e386d6df4aeb9b42b7b0

SHA512
a9bfe121556f8c8cf52d9bcd646d43c867f033901531921955ecbabb17f4fb55a6e5a8dcdf3bf21312e315dd21fa49819e2848eb48c7b27e7eecaf1ec21771d9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3472052dbe3eca44dbac7a23f229ae5

SHA1
5f199491acc7eabe60d2467feea46e4852ac2e5b

SHA256
49fc87510548af454b73a1b1daf0fa4db5d0bae2bda67078294443799b8777e1

SHA512
4c6e2f61e208974e6d781ccdf11c414324d1d08f52851511eeec8d8c9a53ac85e7fdcb50f9098e4e1c81f70af83d2cd5972017a480ba43ca17ddaeefedac90b8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c39ce045038be37c06837335b6947b84

SHA1
bac46c9fad52daea64055ce36b4c0d7cdb12d8e2

SHA256
86b6c5262f71c8b8bae3b5dfd169d66068190565e5407dd0a32d9a3583f26e57

SHA512
d5dca7b9aacf6f7ddc5d1373efec259054fe3cad68ebb08687717ecda86172009ef5d3743049fc70b1dd5eefb2c329efc70683ad1cb0bf8ca71164dc4c6f8669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4188e701f937cfab5b7c1f22b84c6bb3

SHA1
5191ab93cd0108ba8f2d7c26a79b5618937ae5cf

SHA256
7e0f1009717cd83631fab8cccfe4ba03b997ed3f6399ccdc67903adc9677e7bc

SHA512
bfa83d7de7b55acc7f675914cf5de7c4732f0f73fab45468af4184c9e15f266340c1c98263b0ad472c2c591d3d95f17f7d852e3d4fa1794fefa5b6e275d5d26f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3b1a807c96ef6466b73878c14135c9f6

SHA1
31d3c0558a479b7c24f3f8d174655d0c827da44b

SHA256
52af0dad706faa32b5bb71dd84ee9c12477b2de39595e559f2af78342363bdd7

SHA512
6f66aa1180fe38cc155af0aa56ae47e41bd0edf4507e18db4496250a05b5a205da0ced3645af076eb11a721173d69bc9c48c253823ce83cc61cf08b01b234a26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
03b1627c02f1522b051634e44181b298

SHA1
9645f43118a809ff2e2131cb8ed7da05759f804a

SHA256
cae44b633825f7bc74d30595f18b673f3a92ba202856ff1620db9722f5daa95e

SHA512
3a1567bc3e505f36ce9afd83fc6ccf4dc6f1acfa457ca6bb75307b0ccc162b16aa8b9274273ab2da1f787461acc53ffeec8a22581021908503f07caefbe57cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1a030cfdcfc65a66fa033a7c57923a0c

SHA1
9d049c06ce43596c71f3c13e9c59d60c7a770199

SHA256
0b8e56f0da88edfaf524a703c31a33c0dc501aaaf769d6ab29af085a22530b40

SHA512
8cbad14ab31b8b724281489dda7840afb74598b6322331fe1a59a0b5a8464c130af255fdc55694fa2bdb162cae75458eefe41f1825157299a47f17e0cb26cbf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
dabb327f5012d99813a93555dd8d33a7

SHA1
cd37d69f49a168fbc86498237508aff51da17bb2

SHA256
59b6a4749900aeb7a29e146771de94c1d20ca087338c474c0467e41775f5254a

SHA512
faedae3bf086f3575bc6dfd76e578576eb0816c63d1b4e74d12db7443b3a81e7e9ac1734aeda091747fe399d01fdaa90ca60a77a28621b10f936edf6e106fbf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2b513930b80d839e664fb58d5f99c0c7

SHA1
4a6f7814d9848a312d21d3ff617a35174294dcf7

SHA256
464ac0ec14414c500bf0fec97d89a5ca8c3c423eaf37dd3501287e80e5e50f95

SHA512
933cb0fade25d23437d8f09d650aaeab490c8d21f9957ee071ae8cc03194d50dca4c82a6a5b5151228cbeed5cf286fe0926bf9940c032d187ae90fbb1f9a7c7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3010c84a1fe3bfb2362fda904ade2fc9

SHA1
893db9b5bd33caad55ff3f1a9ce412cfc31d07e6

SHA256
2bd4039aab0b9b7fc5c88d98f5fc1d1d4727c45bd64bc0dceee9bbb3c05c5244

SHA512
9057419922beb2ff19d5f1961627f76afb765706caf7a2bda53ae14889d290b070a65148e8979b9b11be2a68935b8f57ba7fd3eab3d6dd4be1b6c9ea1722b3b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
c21e6992c7331bd9f1240b4fb81ba361

SHA1
b89eb9063d55c36410b6f20b05127eb2e6bede3b

SHA256
9f5c3591f7d9b3a3085a7b60102391c99c790865ab39e0343140ec22d43e5df2

SHA512
569e188a9fbc5c169f6082e706402db5db23e410cf9511fddb9d1793ac517f9f3d52a5d5c445af8c5efd15cefc46c070c54c31a0880bc446565483b6086d0b41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
87db088512d67f639575df4dbe4f24d8

SHA1
0c846a85bbc53dbc98da2811966c93aec4f9c280

SHA256
9c2c40ee0d0c3aab2b0a237cd8234ccb7de9e34271675024e4a43fdb0b01d9a2

SHA512
2d66fb4a6addc5adb80f7788bf5f19dc34ed30e1b690ee498a5e8f83269b5dabcac405282e933d60db6aa66b71469d3c14c902d84f4ca180611b7cf79c9a5225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5062b3a4aeea0a3a8d566da051c9bd53

SHA1
f16aa769ccb6afab862d45331f0caf4d8ac96424

SHA256
1a5e2110c8d55a3c0f8ffc7a71919f3190d77256bfd4e5d06c1bc18cbde8fc91

SHA512
76f411476c2f9c92fbfdbaefc21e42e120879ee7acb73b5c5ecb89ea0362ae34f45db447e9ab723d97a4a6205567ad97bc91f0b79aab27cb9d67e3acb3df0443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d6b9cd458ec120d124dc7aa9f2327279

SHA1
e720980b5cde548995c1a9d298e0d4bade9e0357

SHA256
9ed896dab083e9875ca5fe4ac64aa460544f51ee6dc5092e87ed9e1d2bd0af06

SHA512
3738b29e854e59c535ef0296caf7d1715d8e6b1cc33461319a7ec4dae6cbc5cd05e3cb7bbf01aa926f6300732756745763be8d677c04089de01ffad5e03c7d70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e2456c4faf8e42c347173a0ddfaafe25

SHA1
241bc91bfcfcdc451fa418e127c084f7133302f6

SHA256
848d16c8025eda3edc375b6bd6f10348a84f72aec015a56597c73ce3acde5c26

SHA512
f88fba673f822cddd3d667d42830c0126770461aebe92f6209fd48d71e86360d96d65741dd43880b941b59fe75c5f2962c118bad80102dfb4e09bdb64f77a580

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5d3d294b10a409ce66692d47c5679047

SHA1
34ada5288721dbf7594ab4cf3262ed50da7d1206

SHA256
7fd464317158b95da144885850a343d4abbf6c6833600df11955b7fecd4d8ad1

SHA512
96cb58b4fb9f7a49ef26049823f3f282aa6a0532d2e289d44cc73787fb2fa843d012dc530cb00c2e0dcd5332093bd67caa82cecddad0d2363e2ba7b446f974bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bad12fcc58617a4fc5d496d9e9b476c5

SHA1
48252e1bfd51b4a25f2fbe5c16d935d2c4a3ad73

SHA256
f103fc95e503698655da3e5efd5a10bdd2841070f82eb183427fb4cccdc6648c

SHA512
a48f4a8c97773d90b59b51f3ae48939e0e233d7c13b0c541fa90d0716cf2cce1be2d805488803caeabf6ba975b38b4c6d92a0e0b9dce6252d93dd01906066cd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
5023f1c002d3630c169ecd17d8780c74

SHA1
cb7da2ec353103ff8af42a9501c5db249005638c

SHA256
b21cd45a97be8e610969defb5fe662b9ca248d12611dbecc8eead18dbc8f2bc5

SHA512
54d451514cbf82cf06a08e930ab46ff400564bb78d87ef506408632317d4eb518a70f3ced4232394e5f16c0b724bbc6aaebf8983ef44649cf58ebd6844db648b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
5f5f146320d2cd46e345816cd7a1d615

SHA1
bebf0dba77cbd2ea0697caced975f0930b63c808

SHA256
8c3a09abeda8ab971248ebcae033e60bcf32c577565b6eb48eeb70d1ff17a47a

SHA512
e87f88b492cd2fbf49edb0b24865db228713872031df7d11d8a38c8bdfa1bf2aa950ad1034e00cbea86d54de64882aa2008246221fa87baf32fe99c069090905

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d8755c9c1e17bab91b2eca9ee26abf89

SHA1
9d083f962e3f51000a2c52e57be80cc771af8a54

SHA256
6e8f51547421bd608410cd4fdf39832d95975d6cc341c6c987668c5f95600b1a

SHA512
9b7d15d6f45c0b6e32aca67ebc8a44fcde471dfbfd02645042442d2896006f785003dbea88a6a178d1d2fc686b2e2082bd10d867385dbfc23edb128857d55911

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
bfa8af6ffa34574653a173a3575c57be

SHA1
f85b891dfb7364d8df726820e53131423f93cb9d

SHA256
b8fb07f3f755f7f1cc9a134f5c89832794e614a65417e64cc12b88c7d1db6bc7

SHA512
92140616aa124707b2e8fa78027f6e340aa3d0e655d15ad11752367668d80648a492c2b9c88aa3141cb4746f593dff1db21a5d00eecca4f36b16f14ca9d41464

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ef9b0938a97738aaf076002440f30675

SHA1
713691945b0e229b6560c948e30f58cd5ea4b5a5

SHA256
0f3fa9ce18e79fb033a389dcd130da0f3c26186a17e9d4659071fbeb7a9909a0

SHA512
6bea7eab232eca808465882883f3dfa883985f4f2c9c5db3cad076a1b22dc4947b2e34f797f621cb3e8dda1b1fbdff55de4651417abd3edd95f22ecf2ac95127

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
578c11ac34c63b3697e36943578a8398

SHA1
4621f70071463bbfff7acd20e46cee960311bb15

SHA256
180de97d6f2a19658a29766eb45c918591ba20ee418885e4adba9d69f67c25f5

SHA512
17b52c52ab3525f652abbf887659917b54c46226ffa84737317ea987f5c097783bd760457d016e141f0603f58806bb636655d62e0d543d3c956145010a861d31

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
78b08f1e423b48836cb814d052cec258

SHA1
f51ef4c842732bf1787f7fd17ee0c6b255ac4171

SHA256
683bf0939b5b85dbe527a88bb6e6444327927f0cf12b4d482507b62aa65a944e

SHA512
5a17a0e5800fd553cc63fae1a863ce985142ceadd4ff0e0431e1a55aa175ca3c4ceed1f3ddbe9a3b602db4fbc34761ae6ca599ef1d5e19767c53d49fcec928fd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
50dbb7018e4c68473710e9b3bcf6c96e

SHA1
680393451faf4886029c1ab28bdafd98a8dbac60

SHA256
21bbcf9817f055d02879a50ec27c94b044bcd0065dfd151449ea7f67c7442b5d

SHA512
52a740d0b5907a1ea1f4f2fd861fd6825baec1f250214f1ce7554d73086d2b9a6c7eebfd14bb957dd69ab55bb8195629861448e9e0153caa76bbd3313478a07d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8eefaa833f8ea34a288682a6872f33a6

SHA1
22005045209ee4a2a5167753c93a052a905abdca

SHA256
657850ae04eadc7aeec2c42332b1d750d04b9ed4719923a51f5e05c4a0c0ebad

SHA512
9bd49cbed27e99c32537a32e9f2fd6a0bf6f5577ead32cc2b5c0dea704a1e749a1f12410108f22c6a66b3cdccead4fd2c106d2068af0bbb0961ef09b7ee3325d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c898ac4dd1b44015dbec6e811f2f4efe

SHA1
66c22b2e2e9b551b0764c0b0b8b036f6b6d44a49

SHA256
672bbe22313dd37ff14bdb2a8b57a8f69a2ff5ee56f4fc443550d088e85e09eb

SHA512
8c04662d035b92af9b20d4bfd4605a3e3b28c83faeb0e1b91150672b26169216069e7c59e5783f6604e759b8851145647cedbe0c4b300faf5fc99b6faa558dba

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
88f681bce7a95551024fbbc577c33360

SHA1
81062669cd40eafca70f83a05d36b8d73fe59f62

SHA256
592289ea5875472ef09f3947cf254b6321a28bdbe897aa78a38408fc47348844

SHA512
ba02ad880d16522d75bb1ed84a5619e116c19998ce1b7db1f1abdf5ce96103b7d2876663ebf5e42edcc12928119ff014be3160d4ee6128699d910efde9232bcd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1836aac8f8675f9f3f5a8b2c60c3ab9e

SHA1
e041ef5d5b934f94f1c87e07368f0b1955da4e95

SHA256
ed73bca9e570b6d33d96f65647bde801475d30d411acce0193d30703a9db37cf

SHA512
c72b49ff28c1054fa140c4ecc80a61c77d512cd4cdb8f715ade8c0507527c870d64c8a68fc9554261d5e6e17342ccdcb7e73e462b8e9607e71f18f241d0a8580

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3fbc9aaa96f9c7b087e27b5bfb3e5e7

SHA1
372839709b044dc8dfb0a42a56d720bf880dfd12

SHA256
2f4fd90cabbc74c3c00a72ae34517f86de34aba356f71d69bee40dd7ae922894

SHA512
cf7ac6e21bba6c485ab21d6c0f65860f6cb8d44b3140d322fb079fac6bbae6978114d1383b0127521ece0928cb1b9cd962484d59f4c096b9a9ed41f975c4e84e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d274a58f80e3aef85efd78a62457cfa8

SHA1
db583f82f3917f3f4c9b8250f5799f2f7a9989c9

SHA256
525ffad3e13922b35f26fb66c98e8fefe4796120a58b935b43be5d960ecb753d

SHA512
e45ba81139b6d3666e44a2d5a17f0de95ba2cba3e11d472a87cede16c03db8f2fabf2bae66fa86da23686e4ce087f618a1aa3257707dca780c492f1f70bf991f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
113401f9b16a75e9ddbeb4e1b0457785

SHA1
f73b3ff99289e4be8524a08e85ec52fee267cc78

SHA256
b0a83bfb4f6fadc915ee5a86c28de35d48e3c4a06593b4b0d64d228988bc8364

SHA512
79f1495ea6851f8a8aeb70f9311930f099d9fa4da0946cf4f0fdadecb045ec5a8dd36b4d5478cad2b6ee35fbf6ccc17d468dc81fd30c7c550b5c29ab1a38b986

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
668abff2e121be76f99943d562e531f3

SHA1
b710da9a15c7137be8edad1fa248b0544577eb9f

SHA256
eeb873d05824efb07096e1374bcca2f4ae7842e354370d428c992a01aaa8e19c

SHA512
0dfaeea7c391942e643cf06a7ad993084b59b76d55301bb2a2a7ba48de69e0b2e6c6b8b6c8be58cc2d443ebed9db09d5c032ae2b23013cb7e20c124c32d1b76e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
584481d1272b8297a05a1a70d52ddbca

SHA1
c841c333b7d8bc5eb583d3c79b29dc5b3831ddfe

SHA256
ee18c179d6de266b92f1c6038ac6bf2ba1e1fadcfc07d8b313cc1230b1e1af32

SHA512
aca468e7afb2bb8127b3f2468893836e0b415fada0f061e7627f243ad43540456c0b4cc605a15860660ceb679a29c1e00d382b0574549a97cca9d5499ea9552a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6ec99e8d87f309f738fbfd2b6a35027e

SHA1
2f2b41d82923d33fd962c61b3d7a1eb549d8b99a

SHA256
b534708aa9ff0d971631b315b5381a726b47ce0379e6de3c3b8626839215b797

SHA512
f183035839e5d38cb120bcf571b8e760debd80d20798019ff292c475de972cdcb0c5ba11f2b951a75e4cbc63c579cf5314d05a1fa1c20a1a259579075ad5c5aa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
701a6a9075218531dc661f841662406e

SHA1
f9abb7356d7c523e9471eb77e758002cb949a16a

SHA256
33fb66610b23ec7906c554be0533a7803b0462dd13549fcaeff7e587e6db9b95

SHA512
c1613ea8bf58e222206fbf15fbde5e245898f00af242167ce471fae2781b551922108872338d0acbe0c8673433559f20b44fbf36c1eee7a9801b292dbcda5769

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b487ccd8cb7341f79f287102d8f00931

SHA1
4cc2e3ef3a606cac9e15a4b56f2cefa95b2cb86d

SHA256
7ce55e7f4d406d16d380787d25afdc7e67bf7e47fd96ddc5a1b3ddae75b26738

SHA512
23f2075def996fbe2925260dd8c963cc1304d397e68f21bbee743aa1690647c65714ba58e7ad4a0e859532b9db214d8f6f2f45218f22e59b6eef892261fe9c08

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4bc44a3857d32afd8fa1008503480674

SHA1
f74c4ef9fc04f59bf0970884a644e3ce8f3083fd

SHA256
fa904cd080b42dae83b68532d6149ac75e6ebe372b614056a3933be56d5d7e14

SHA512
11c33ddd3d39628930e26a6968f54322d469788f05781e22fc4d6e23eb6793c7bf330bdd8f19d9671475fe7311e6a0a2108a953ba37ea7de0f65b406ad206040

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6f107ea86b804632403acdeb4f565be2

SHA1
affd03784ee8d4f2efbce87301e067028233d2ea

SHA256
e8752041f72ded017d7a1f3c65aa9fa6a8ffe8339f55eddfdd102dc55ad1d213

SHA512
600dda8a58cba4df47777f26faf5707ee7087200650af22aee39a0ec8498a5e456d437c055f8eb598703c1b894f05e2ab3f6cfcbb60d141598b473de0aa6d865

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bd631fa2eb0614cb5a9164fd56182e75

SHA1
a0f78bbf479d5c79060e0d3a43aaaf4416da588b

SHA256
091133dc4019713419fc84db8f368aa416dc0719eefa28954c8e632f4ad62bc1

SHA512
210a54cd4f3c203b52d324df8541b6da3db971e69d86406c70d29d09f37a3e64d80c2c49824475ea21d7f4ea8e770707b56fb526e3d8b78ec7618eb670aec71c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
fbffd6ed5129d62fb803ead7772fd160

SHA1
ec112e9bb0904d042549b10d9a37ddb53eda5cd1

SHA256
39165f36f9e18fd085e3f2749e896bf0c28556b4486852d81550f8d2e849b3a1

SHA512
af7a0b5a4c5ac65a198616d856497cecdc03075b2103107de83b25dc6a3ce41d95f987c63df7db93a39bdd7a8d99c6ed5062248dfe14e3e090135f685f981f29

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
29d5d3ac53cab719b04cdfb6700b2fda

SHA1
3802fdf9a1e843b7789946d5e289cae0217208a0

SHA256
2e11193a42cbc4383215ececdf826c3581355975c9662154ceb7bf8412b71160

SHA512
043ca6c45d90a4ebecac4b5ea0fd9c1833f421b4c27fde81887da57b7d985d077644b170cf0d98e71f1946d456060829d5805a861e728d2b00056a0f9548b760

Download Submit
memory/612-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/612-19-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/612-101-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/612-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/760-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/760-503-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/760-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/848-116-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/848-233-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/876-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/876-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1452-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1452-97-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1456-128-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1456-239-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1584-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1584-1-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1584-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1584-6-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1620-504-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1620-187-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2036-131-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2036-251-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2424-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2424-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2928-48-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2928-49-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2928-55-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2928-165-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3056-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3056-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3492-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3492-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3496-215-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3496-104-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3508-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3508-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3628-196-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/3628-601-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/3704-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-58-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3704-43-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3704-37-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3808-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3808-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3808-33-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3808-127-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3912-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3912-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4188-162-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4188-405-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4460-490-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4460-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4492-83-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4492-81-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4492-85-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4492-79-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4492-73-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4740-259-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4740-609-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download