f7094142e8b382d2f338b6c87ef3e67937d611d8715a089bf4937009e861ffbf

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Size

712KB
MD5

d45a04e3a668ee764756a83eaddf81e7
SHA1

5149c929bfdcd280796412ac13f9275471f2498f
SHA256

f7094142e8b382d2f338b6c87ef3e67937d611d8715a089bf4937009e861ffbf
SHA512

f7cf09bfe6e8dc03943e846adf16fd01affd974106ac5e2386658bab84ac16ca6c0e443b924bdf195b2d4b9c8a4842cdd9a2a6cb8777345a18b8d5fc66f5e376
SSDEEP

12288:atOw6BatCoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:06B42JOt934J7Z6bQaj1BvUm9J

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3640	alg.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
3116	fxssvc.exe
1300	elevation_service.exe
3972	elevation_service.exe
4136	maintenanceservice.exe
2660	msdtc.exe
3060	OSE.EXE
4408	PerceptionSimulationService.exe
3484	perfhost.exe
696	locator.exe
4608	SensorDataService.exe
764	snmptrap.exe
3148	spectrum.exe
2880	ssh-agent.exe
428	TieringEngineService.exe
4784	AgentService.exe
2236	vds.exe
3276	vssvc.exe
2416	wbengine.exe
1940	WmiApSrv.exe
532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e50ee09689816891.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b0dc37bb4ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eeb66e7cb4ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8d5107db4ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2b1cb7cb4ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a53ef17ab4ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000991ef57bb4ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8d5107db4ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed9b157db4ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	428	TieringEngineService.exe
Token: SeManageVolumePrivilege	428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4784	AgentService.exe
Token: SeBackupPrivilege	3276	vssvc.exe
Token: SeRestorePrivilege	3276	vssvc.exe
Token: SeAuditPrivilege	3276	vssvc.exe
Token: SeBackupPrivilege	2416	wbengine.exe
Token: SeRestorePrivilege	2416	wbengine.exe
Token: SeSecurityPrivilege	2416	wbengine.exe
Token: 33	532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeDebugPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeDebugPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeDebugPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeDebugPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeDebugPrivilege	4316	2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
Token: SeDebugPrivilege	3640	alg.exe
Token: SeDebugPrivilege	3640	alg.exe
Token: SeDebugPrivilege	3640	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 3116	532	SearchIndexer.exe	113
PID 532 wrote to memory of 3116	532	SearchIndexer.exe	113
PID 532 wrote to memory of 3436	532	SearchIndexer.exe	114
PID 532 wrote to memory of 3436	532	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_d45a04e3a668ee764756a83eaddf81e7_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
611f4e2071c713ea01ef40d117d43b0f

SHA1
488495bd29cf45d2c009e4fdbb201873230659b2

SHA256
60628cfbaa8baf1a7cd409be1eeab8bfb9df3b6ce1082a6dda62aea36b14dadf

SHA512
a17d227c009d7c8ca821a299d244be282143ee67c3654fa72cfc7af0d62f00bb364f2f2f4449f0ed4d271a1a3e3a99aae0fcd65896a32d7f64cb7ae4f8ea5f77

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
5c1d39886d516f9beddecdf3595be29e

SHA1
97cc37f8204e9a4a8b7b927a8ac923e8482ef44b

SHA256
2bcd7ab09597523c843c85302977051d743fb5da6df257e24181f91569bd85bd

SHA512
c592ff6724a5ee1d9f54e3409ddbdd6f64e0ee28796e6efd4accda429eb92f4446d76b30b84364647543d4ba8fa8a0e66a19313e4f045e11bd305eb78cd46278

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e24d090a88c002984651cb816b094dea

SHA1
7ea6e1cd73eabe177a382975a521270719b815a6

SHA256
3411ae974b79fd08481b121ae9ce4191292414f61c05ebda80e80bdfe9440fb0

SHA512
8f5441756dd42559038192cbdfcdc69a28915ff14f48918d4f17ff664d5c89eb167ba657904cd98ff167f8276866c5659eda19454ae5fb3a4bf4a6ba1b4c66f8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1d0cbeedfbd743506945938bfbd5a2a3

SHA1
4cc2adbe9dc5776b150a567f75d16fa931aafbe6

SHA256
c2e531c61a44fb548a939e419e50ef91807e3955f17b6975100e53e656e0583c

SHA512
11af014f71ebff9540c81d9f192b3e7a899146c6a8a7329cc3aebaa32e48a8a35299718d98de7902ee993958f273fb0520517ff18517820c4de3e44bca1b3878

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9059138b84f9cae3f03d53118542179a

SHA1
6c1ccf966852b36ae190140844abc1cae8c424c8

SHA256
aa79fd8abf555114595f41fc77dad7a0e7e662f7213d05410226d33a2f9beb80

SHA512
abfe021ec692100011212738a0c5d33b67a334c8e549a3f92053481eae756ab0dfe905cf726215aaa4c383f48f03fb1d370a108642a0137c53b1685ed9f67bac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b27b7917657aea0d17fe503f0f801552

SHA1
6deeac6616244a962b7f4b01d7deb654cbc3b582

SHA256
b2ba5ba5134299d6aaa243d946caa10e534980dd1b847055d899b2a67a561159

SHA512
3897984f5e3b8fc10e3d4d76d91334dd4df47d3559eafd5935cd84f82a9da3f0e455bf38436516a4c216bfc6e087e0fdf0b41df8610ea1e1fc1d13c00cb52663

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6b12a9fc21cc5c81bce5d444c67d4cc5

SHA1
a7f2d7661cad42facb0d56abe386a0bb52e70fce

SHA256
5ce0fe401b4cbb33c03cc207c8f513bf25e11802527e6300b2a252dcf9f8d5b0

SHA512
06ef47f6d115b7216d678d23814279925a73e55090999930a17fa0ce2b04092b3330805f18ef787a7289deb37cc5a214009a17414ae6218a67cfd7c0b402b0d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7ae7527c487acb243cd7617fa11bbf1

SHA1
0545d4288673d51ee6304832d657791bba2734c4

SHA256
fffa1c8459733be900e0344d99d2774d93185d1e56b33a641e9bdb2d5132ce7a

SHA512
a128f227f259d73633631432a57df56b8f0eeda6d1ba1d9ee557b8f3a9362466cbb41277a2312a6270d9994bc09f0f1427beef4245ed0650a3430be7d5261aa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
06d21f6e50d37a7b0d50930a7a2a2d41

SHA1
97cd1325def0b9472cab51a34b2f1cff3fbec3c5

SHA256
304dfba44b216332905977086c29b0a1cd59e55d8db57f31a5f433ea95f0a105

SHA512
f7c1f46fc97f1a356a4f705ca9d520ee3cd812bb7567a1a3f01580f1fe1903e5b3dafcc4c08e7196214e22d4f96219d42288f0e1e5d7d70b6c130bb4c5a05e3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
56042feceb051ac30586c33eac15e4ab

SHA1
9d01750872c662b40fc489e517448c1ac491a3e3

SHA256
8b4ba2b870aa8e710895548a276c34fcd2d72d19cbfcac022accea548663844c

SHA512
823c480b87375765a40415d3c588d026fd2558d10366ae241ecd658df9d07ed2f1690ce76544d508909886a19af9c48bf5a66105783100032d1dde28b2271fee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9e1ddaafcb0385a76e7a6fc16b7b90fc

SHA1
2bf175316da57190345ec5b7847dd78f10cb7caf

SHA256
7f413e696ce19780f47a5d15a7e77bbd0abe1b6706053b7ca8cd6d05571f2c94

SHA512
c8a4a35302c885613d91748a122eaf7a61ded56c5b031d8be45bd8e48e74d24b28f925057820992fd9b74d78f9f83339174291716b948df8eee2f9e7f2f3e72a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8a5caf8090b0f1d436d203eb9d1d4837

SHA1
915bef9660deaa41605f81b56a2cc048736af6c0

SHA256
ca19d665cea3f7b1db8d2a50781d7f43771a7c24b24afc654de67e006ccc2eba

SHA512
e95cc6fa1345214cd9b07c3077f6e2cd3249c53d6834090ac9edab934785bbf1ea5287da023cf47475f9fce2184e0f916666ee82cf5222c103c9727715af7e73

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0c603a4ad59e5ebad32e5d35f64e416d

SHA1
0db98644314ca1ad0eec02a498fa9d3952afb2d1

SHA256
932269169f06b462726cfc3afc29f4ee6d7d8894907a2ac7c04219271d8a182c

SHA512
5613b2d8742ad894f5bfcf7407834fac8db91de52ca7a11365715ad89313a07bab2492ed794a02993663fb8b2e9bee532c31bc978e6a42884379fa7d065e66a6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1e573cea6603a5aeb88ca5795c0b033c

SHA1
d1dabaa0f40478c7fa0aeab3328bf01ac6cd741b

SHA256
8daa8732b57c93005d210997c3b04c9614def17ef427c69106b8d56a4b92b6e6

SHA512
913c1711c6823b1216960d753473e8f3a59b8dae71d7aa2dacfa4ed9ea1ca19ce4e7e13cadfe25f17f724315bb68d11a6b2af240e00afade23436bfb36bf4813

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
65eed13cbf6765d43529a4b974047155

SHA1
79cf91ecea7c689d4b4906059f084cc837d6cb41

SHA256
52543b1582bc422e93fcab7007f2e4ee1d846e55ed44a48ce2b58725050a4a94

SHA512
e52ada42bf97a03ead5059cf4a16591e30462ddaa62f7855e9a595b85b09384c0d27752a8c0df9f9eeb85a06b3499c8190908445fac25eb891cc9ee13dda6cc3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
7fbbfe152e1f85ead2465db1be8cddb4

SHA1
563299812f7d40b0e3738f7ac7956a33b013fa32

SHA256
26ae123687d0857d385072d50c5f1d3ce9e33816b7c0b18030331912c8951955

SHA512
3506dd7a9b4b6c7652ffa4b430355fa05abc023321e7c71b27d0d150b1f4cd8b0baea6df079608382a544d73a2a745ca85ca85ea5e6a8b67e7ddc364e4c2bacf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c1353c54487e2f5144f3b5d1d6abf90a

SHA1
5af33750ce45959ae8ecde3fc2555012945650d2

SHA256
da119e804a87461edfcf4d8bda836e40cb9747be4e14743b732eb2060b2096e4

SHA512
79951f7d5ef3a8216e91cc34b5b694204156c04cb780a4ce70395f1a3621d5f7edd235ee7bac495d98ab4e855e7572aa134f0c33b0d0a1b52408bba25e079f95

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c06464418ccb13ddd18348d8ac541372

SHA1
22d3926daa9aa427360c62f56e56e1a691870eb7

SHA256
585402a6636f27703db2998c5b3f669deb2e69c11515d79b7d66bb71ffd14063

SHA512
b1afca9c9e9fcd323a7ba27b04a9dcf4286106d02b789f7032a268c166d1729591c42e6bdb7bb033ff12b15baab6ebbb80d08e051e8cad5978d1cb0e2e6343ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
76ff0e683a8397203fa9c9468193bab8

SHA1
d224e29f4c75ff572a422272e0086cb2306cd6e6

SHA256
8b81fa0ff03775db05d93bd46821cf271375925710246cd4102f5a8172a071ec

SHA512
9b5e343ea58db435fc4c5d2f29a18fe6b4c74148ebc4d4722c1fb7ac3bf7446255ee8a4ff18bf1d4797cb428a5b4ca9d2590527d2f05660dadcf68bafe8fd18f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fe61c3c93fb64f25666d43a9e363d6dc

SHA1
2ca2bbf104e6dc70005150826e7bc55d75f346a9

SHA256
c880a00af30e6ae0362b62ed828d32c14552251483e58b2e4e93520cc091e12d

SHA512
6770b053eb78d21c89d9a36cdc310ce2313ccf14c59cd05fbc203e160d1f8c3530e33d7b08937b19b9a3c6724f35c2c97e901890ea0915efc0d1197710c23d7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6584c02e4bcc88410835e815e0f63fa4

SHA1
3b29ea88494e027fc6ff17cfc04f4fe20a37558b

SHA256
497647ec9a5ae6488bc053f1a47017964d82800276c3bd67b115f2011465cd0d

SHA512
e9a23d7f5fda385159868cc32bdb8571c344e080148593ad4ab5a4a7b16440301dbe7cacf700566cf3d168799334ed779306e3c36e9a5cbb1361b19dda573d9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
aac7ec5e5c85a429fdc4edadde4f968b

SHA1
f063c5a85a2a6222cea9eadaa73d31fe137976aa

SHA256
40f90d6b564f85a52e5fd4a6cee0f56cf625a922998dd3a348db4b7f298ae2d3

SHA512
3ea19377aa24505201fa0cae99b88ed6da74c9961824685ae0a378a99f105ce3df68317edbd5a350a60000d0041e66dedae7dacf57a2334da4cbc2517145c533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3b86f222ac362f80e1f384779054d2ed

SHA1
69727bcb4e8f55fd840714cd55175c6713940d97

SHA256
b2c07fc7e220b0b7e36fe87fc5dd37697ff728ddd68e23fe9558355f31846ccd

SHA512
3d8d5be115f1940c56afb7fa2216e6945ca2a3f5bbd72be33e95c201d258771e5d0085c6c443cc0ee0f74f45370a7e3567f307f22e35fc8821ccf68d214ba7d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2b28a66626895f6a74a6e535175d60ef

SHA1
9c6f217651018696b91863f956979faccf9e15fa

SHA256
99287fcc949adb46004fe6ad760ce6c11a6e5d2853fdbbe08c75bd796dc937b3

SHA512
56d5289b26f0e63d7fd151022f4904197189ed1e7217793a26ea6f18170845c2d0580f90bb5240ea2186214e47a91c21bc962efd1dd96f7d6fc82448cff189f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2f7fc7293a2e84248c3055db0cd05fbf

SHA1
1ae9a6b9268e045b677b1b66c6ff668f0111eb00

SHA256
10e2d386a731a5d49926efbd9287740a913b8c950f6c954f7256395fd9f0ad3a

SHA512
220210d385e88421e4e60fdafc1be7ebb4fc367e68e2322524248b743615290dcece479613a1258b442ee88aebd5d5406a3b5ab63e226aa1cad278e504b125d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
dd6794485842718b6fc66ebfa4283785

SHA1
60dcc28a7fc5c07f8f4a007fecd4eecc61959687

SHA256
a19b24d9bf079bd9fb26012727ac1f30b4475aab3138743cabd1748c6c6444ed

SHA512
4d00eb8bb698a0d681d1d97c4ae1ae9fce7320213a0edd0e779604320cc7cf5931caab5752f1edfea355436a3cf93518ab1b2f3d81906a77312ca155b57a640c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b2a1d128d489faf8206f41e7f9d480f5

SHA1
ff634f05c247c3499d5677b19185b74adae48f2c

SHA256
518fb9d8eff02fa2cfb8cb1e15701d780c405b5e0badde36e065783823e4f9e8

SHA512
6f07208a8c7433e8403e1999bb72f95d57bcd9382539c112212914a86ff4f422a14a38ae884b9126a3829cb5a27a0d4ce8a918cdd78277a9b4ff48028e819e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c9d25e7c53189297b410252b9806a3c1

SHA1
761832fb63ee2d694f1d039cbb4a0207f3016788

SHA256
a7637c3f0080e3ffbca86eec8ea2b12926a67a018663716430df4670a760fefa

SHA512
61f319ade4e2c703e94b3db2b3ed0e51928dd8bb33457af516881bb84c481f94a700d1d0f66e803e45bc0e19815fff15f07f85ab1b9999931b3786e8535cd0f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ce705785c10350e27cbcafb310d597f7

SHA1
17fb9297eae3e97cd170f016c463cbd961ecc14e

SHA256
68381ef4a16233c38329462063830bb0a9bb43b7f7a6bbec9dcb891607175728

SHA512
8db3cc4f95283bba5b9e70d81c7f67ffec71777a33165423a000f586cfc5ee65433544fb1c798892c15db0328ce2749dd3c0c1ba66376a10a6e76317779dc23b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5518d65bb2f5d09a06c68877ecefb53c

SHA1
3d047ab397fb14beb1a7bcb2fb19912a6631153f

SHA256
e9c61b07dcbb7626b46a3b60690b9b074a94d62acabd4510f69ed9f58fdd2e75

SHA512
d52e4e70eee643420c4450dafdaa910149047d4c9dcfb552098913b1638109de6665f00d665e9f071f7a5a4e9c6d0860442980b29c657f9e0495d0d8ab2d6237

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5c480b8d5cfe21a5c4658b823e31ff62

SHA1
7ca293b18397b9efb10c05b4eb58e0e4b2c6f46a

SHA256
d29337a4edfdb3df5db68d761a1c613134d505885c6d6f16b7929eaee37e8b6a

SHA512
4e6fe969f83db7963e4ca20bb2a41e7677600cc48e141873354fab278c94991ea32aed0c4659097558f742f4dfa32076eb55552f184eab709b756b3ddb05d089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b069bc4a3b742d21c84a9a15d92257a5

SHA1
aa5158ebf6160b31f73a700a42219f926bf637b4

SHA256
303a0072e70566d638ffcecb5ffafe21467ea4fd758b994eaaac231e0016024e

SHA512
f524e0a24032b794d2100015546efc811c8e4911932710e3f482b945e64866318d9c59449d9cedd327abfac100db7ef99e6e78278f108444b02ae9c9ff4a55c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e7cb1be36d86c2da46c733d1b5834f59

SHA1
cdf3cd6dba101110efb6a257e521514830b0b3c0

SHA256
8f161af1ec5febb402cc658a4ee66b25a44e1c07518b4118703b1fae9034f205

SHA512
42922732af77d2723a9d79a4612114fa494f401eab43ddf99f3eb2bf933e0ac90e913a3698900eb9c9e4c2b280637a768a9cc4de5580dfc741593e9ead09fdb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
62601078b59752243d238f1228556fe7

SHA1
4bc02892b5f74343b1d88f5dccdd921440bb0877

SHA256
754d59aef50ed0808cecd5ce16a6a0c036c9645173b98b106283aae43d368861

SHA512
364d2e9ecd64488c2fda95f43155173171cc136d5ecba148362c01d4dc3707592db5a43bdc19bd4db3c86b1b9e8dcd9a9a249edfde2eaa803ccd08514465b60c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
da9ae1c0f2b01ef6015aec2bca836333

SHA1
d11b7d334660469f636b323c6607f9810d1b7895

SHA256
5c1f17e9c21cfb2ab0ee7109542ef14f2a689435f6fde33376c4e91a078de1e5

SHA512
44395acfa0a88397b424b588aaa593082a87dcf5a14342933f9c24d96639a0832fd8a3b8519a89bc73dc0585e6672c6564b57de9b3b3df2fced3681a3f88b5da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ef4a82a0fec62f5e3cce1a647e12a1d1

SHA1
3ed330ad5334df3ce6a066fd5a70950711228955

SHA256
7166eb1fb64c0c34abf0fc52c48fbf3d526b9d1a32bf28719fb9d975d76816a5

SHA512
517b8aaab931b99173ca75e7c9441b93111aead23e1643047e175b776e9c51deb06db07f2355dfdd5f5d5b4c5f8527e0302b7d9d5986a21bf94970471c133e80

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f6a7102174541b201ca73503440df1c1

SHA1
f81399a61a7e37c9e83a1c4103b50b54d9662f6f

SHA256
1419fd5d4f860c85fdb0f569a43950cb5e4c90c870c473409e1be5694589d9c0

SHA512
0a405635a31315744fe812c6898ce2f9c7ec620c28221effdd867ab596cc67d77199f7833f9374dfd316eb24b27fdd06e4a321603487d2d2e9575351b9b596d2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
18e663b74abd90f3470e03be3aa6e9a0

SHA1
838d4d99a9959a8b6457f26d1560f1b491b7b72d

SHA256
17c56e9405cfff6672111843e95608fe27574fd4c9f7019228c14f91d035baa9

SHA512
88d76e96611c0a7900714adafaf2a80b75aa1cc67eb98177677c973f0f11510b1154aa09dba56e0cdbd0986bf924b528a164b9a0f1b52d3193bad4df0ca7aadd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
dfe547f2b02fe3458c945db58342e44d

SHA1
dc5aac7b757fa7aebb697486e753fce5699132a0

SHA256
60477e68cfefbdcb22fbce36b3c10bc6baab8ab87e06dd5802a33fda199f99fa

SHA512
895cf59e4abc4d34bc75fc42208b604e56dcad2067d5363b79d6c0070c6c8cfffeafb3a94761c97fc0ed4e404d6c478cd2091f0c221ff5c8df8be3a1f09e54f2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
66f3dfca8362b5c188fec9ddda883842

SHA1
1ba515a5877131d49842bca366d4a7d001d25b3c

SHA256
44b01953bba0322003b0acc7d989f926dbf60d99f80046660077fc3528f1766f

SHA512
73fe7f74a29b05c20a264f2bb8d294fbc6353bc3d4bff0392a4c0487c71f6b3700e347a60fbae217fe64743bc5524d1cb3267a7313321b6ef7b891a30b1d744e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
48b4621877f3690fcd23c768ae753d9c

SHA1
4c11fdb8915ef8b06377706d053857625eea7a43

SHA256
8fb52676c2cf1cc2612f842e16207907d290a5cd296fa1bd00ad61bcab82ccb9

SHA512
bf4b41598ce4a4831431c95ae7dbfc9dca7da89fbcb46d72a76ed8cbed8133fb7eeaca29e6e80ddb3f0160318a3fbb53330719b22aaa9848b04aeea44af93a7b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
07145a1bb4919be44f61f12941a61611

SHA1
ef4d1b12ae9b14dbd4a563c37204ac376f3dc88f

SHA256
808661c8afb343c5ecc00f3fa5dbe0f5f9c1e0cdfa6b4a4829a904953b71acaf

SHA512
e1203cb304144923da030cb7bbaee82cf324c3babc040ceed1c73a57c3f8c52d535a58270362de76320a7b01d61932bee56119dac663ac3b5457f250826c328e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b6a5013eabaf34b8628e14f9da98205c

SHA1
6ce483a2bf5cd1678d1bcfaf492905ca975e1d2d

SHA256
d7e907758ce8fcb89469406216ac9e1f9729e0b3b1198d9e2c7c3414e20c5a8a

SHA512
e1504070c395726b8d6da5d5c790e80dfb0e2c3ff11bb8740ea893934aeac75c64f3633d2fd43272e2dd48bc82a2ebf5fccc1ce63513e029148faf91381859dc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5778739a33f1a12819f1a76e808941a9

SHA1
3a79116d196c484f76a33f27629704af5d9e5643

SHA256
d90a98f726527ba7c9fcfb275163367afd53c47bdb31bd1732f21f9940d44eb8

SHA512
41d7b1c9486a413e76f26b11d7c86ceee491ee4a22e307d6c76cb5834604bf654f1d83877f6f61fbb2c7aa6b809c0b47cd52d911d8cfa09ab4e7c5ed561e7bf0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
18211ac75f05bc54dc6b5ea9b895b008

SHA1
e874dc034d8ac25b735d3435e0eb36e732930d46

SHA256
9ec7c09be2386ee23d4febba7d5a945a176ecc3a7d659f39f346ac3bdbb26260

SHA512
1ce721512103dc5c609196c3f0dd25a3d02defd15a9ea818f521a78ecc4e2ff10a58325bd253166328bb96adcb9c5a1e4d27de937768eeec8bc9796a548a84f1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
55195a98cbc26917f136cdfcefdef401

SHA1
acbf54985720c765573cbb12ec79d7c5a25941f0

SHA256
c4072dcbe467e8963670325068e2f664b52cc94dad1b8fbdabfbc4380b65d2f6

SHA512
2032cb4000a4605da4da1c3f8c361f2af82ce3b2f9626c6c1f3644ccc4d6e81a8615b3924c97f69a64a09a77abf2045e46ff5c0d90a018de3521cb722157801d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
48d241e10379a3969f7b6ff4dffe2752

SHA1
ed9c076b924e791ab226c72cd54f1bcf0dce44e9

SHA256
c752d7c8ac1de50800c7026be6596cabd9038f1264b9a7eb75889711db1c736c

SHA512
1cf145ded5045313c77d1e3f682a99d88ec6c6fd556104fa0f085a7cf38f20683563dee234775e1749f05cc77d69c046b2b9a7e547e4f6b72fadb6f1258785db

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
426b13b6e540aa5ee1d007d391c1fbdc

SHA1
36cb8373215f7b2bf814c69e7c9e33a229b392bc

SHA256
35a81ce011661abdd8dd8cea015063ee7609e8ea5b26bb5dbe742fed65711bc3

SHA512
2b0067431a10a97f63b59b4d6f7e2832264b07d9da024ee7d5e64b7e1ac2049b31c5a50b06f58b7a7de07e7d984edd280f07f6f26780f047d3e5417fe4b6a0d7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
92f75feabf69f2ef526107a3309d74e2

SHA1
697d49e52550c5a5097a135b5e011932e0c867ba

SHA256
afea8abf00843815268fb120f19026816e02fff776ebaf81a3426f67a827cdd2

SHA512
ca360dc407f960ffa005117385e0aa283a224c5babce3c1c93450eedca2da118bf767e2a62a45b8c03051ac2efd5b6c90473d2b41499f18a952e7d62d1a0234a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2f6b15642a53a5c4fefde96b6e889a7e

SHA1
14e2e97f73678bb13704bd9ff163bb088c79b815

SHA256
ef1a8fb4ee1261f7c2bd3dc1e766299a9d12bc989160ff2c8c1d032a2c1c67ef

SHA512
e02eab9168d08e3ebc3183b4e74c047d34f67549fb5538ba88efae378c83616a84616f1ddcd07c69cf153343cd0a2b35b8c6d0eb5208d2e89360fe1db6444208

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ed699dfe7429d9148cd4e378536cdc07

SHA1
87dc90c6c1a877b86871a5be9fdfaa7dbccb271e

SHA256
86c72ba08a792624ce48284c0f7a64b8d8b81268bea5eaf5f4488e48d5089dd1

SHA512
067f7965c46f986583f570a91773e1c91f519f60540f87ee1935f71549653240d0b0d221faca93230b5524f5eacb0b00e7f580609fc838d4bab2684fb5058c57

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d857fa49597c988a2e6c4df3e17c85bd

SHA1
9c945547e1ce9197d3a2a101444a16cf0c284092

SHA256
834a7fc4f1a7e24c24049af65d35bda797cb9f87a9ed1cd9d8e404a12c098615

SHA512
bd4b822c689b28152e9ee367a3eb5323f1a2300653f1c41626c7b6d259381a538fdaa0d5d7edf621e234d51aa17f6dc7ea795147e3d11f636cb2d57700edcefc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
31c62d248b4b49d0112e21ba32375896

SHA1
26cecdfdfcc3d0f792ca610cea83d9c7f60ba98a

SHA256
ff0aac1ebff382f963084166e4a34607dcf9df01b984c8e1bfb157933667a666

SHA512
d7d86f9ec1d139021b86ec9909ebc07e9e8909c2bbfcf3738abc043d2825c095ab80baa067eb2672ea665f5439b5494f2353f49aa87c16214d82d3009176c054

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1fd9433b5b44e230e6ba3c82d268cd58

SHA1
4400f32872038141ec55c7120c05a2eab0a44fea

SHA256
9ad53fe7d8e5f499402bf456fd2cf9beb01f1fd20df8b7a41df07a0a9a3e0653

SHA512
257e83f280c1079cbeacdab0560d10704b8250d4bc5ba683ae7949750640f0623751e7f3952b4566ae9b057789f543e3182e5891883f1772b97af79a708af4f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
389199e56c7670eb75a1db9c968c0f69

SHA1
f04e96d37587bcdd56da4f143303fcf54f288ecb

SHA256
438587e9392cb17376fe27bfac126fcb02dcabfcf580c8a0d18f5c029ea8fd7f

SHA512
b1e3c38e7b636455627898f203284edf6406b80691ac7678edc1f5df35108f34b97e6ab2fe2c3b0b6bd97c2d285665c5c2ce29d65df8ab6cbdf8e15360f5c82c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6b4a6c905c4f6cda9cb67cf2c3d3303c

SHA1
a0270153be4d6b01765c60350a06f1dc08c42cd8

SHA256
0fa28b0dbd9b568c940ccbba4497054f3e739a0af59aee5596982e22068211fd

SHA512
3151d7700523c26c26092e5970dd9b63797f9077359d96693c781e5836045a9ea76c49b66178d2129a5ac7bf325de5a63b26cf12bd7dd8cb342a4c7e4b373150

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ee658716c0bc9810dacab8b0cdc1d5e5

SHA1
5195252df16349c6027f1ea91f8b845a1de5e711

SHA256
5946dfd350e9289d1b9b99cd5dd0be84f7a96ff667631090cf6b840b8817638a

SHA512
b7c37a3fe56896d1fc4109a32196fa0f92ff2740bf42e661d27671e31ba71368ba52f77dc1e65ad1b6dd9a22be35eff6e730725a90ddd94e3dc1f8ceb3ad0cab

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b250843c7ec52ca8cce09ceecb966e88

SHA1
95d844f3151a06b28375d72db3ee8991929c81ef

SHA256
671b183b6e45907f4cce80d7488bb7cbfeb510b7f1c4b2e3fa42c6baea32e6ae

SHA512
a4cce80d5a1ecdb84c788ccf111a2912eff137c0e02723ec0dc9f3e1ea89cd0bcedc64ac7b96c94e8902c204a92804c660514048a9881913fb5585b212858c60

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fb0470e83d4afab31c478c746d3be3d8

SHA1
d7809934d471a628d0530c8ae2a8d8a52621121a

SHA256
07bcf7792656e0631653d1cb1645974511335e7f21cb761c6637c2d9bf52104f

SHA512
251bc094b908660386542ba821e21676ba7d0f684d8af99953c8b47df37bc5e518f2e6bf18ec7f1547e8d9208b82ff7afd2554777e21a824d68d33e045112b08

Download Submit
memory/428-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/532-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/532-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/696-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/696-478-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/764-184-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1300-213-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1300-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1300-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1300-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1940-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1940-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2236-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2236-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2416-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2416-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2660-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2660-85-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2660-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2880-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3060-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3060-260-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3116-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3116-46-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3116-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-50-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3148-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3148-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3276-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3276-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3484-439-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3484-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3640-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3640-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3640-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3640-123-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3972-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3972-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3972-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3972-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4136-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4136-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-75-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4136-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4316-1-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/4316-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4316-6-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/4316-96-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4408-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4608-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4784-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5072-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5072-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download