4edc99694f85d7f4544cffacae769d10d2c3e1908234ef72dbf59b671078f9cf

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Size

1.3MB
MD5

d6e7fc0b8441ff553f8f553b10c7956c
SHA1

8604d5c58ad022a92bbc7d643cea368484674b1d
SHA256

4edc99694f85d7f4544cffacae769d10d2c3e1908234ef72dbf59b671078f9cf
SHA512

5c3062974e9a1f850d7e2b43cdaa55079549d8f6ed5aa2142563b6c8a689d149307402b0794dc3659d2305fe70c178936ccc34d12ce94d2a8306b73200010111
SSDEEP

12288:ctOw6BaiMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:S6BISkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3196	alg.exe
2996	DiagnosticsHub.StandardCollector.Service.exe
4028	fxssvc.exe
2296	elevation_service.exe
1420	elevation_service.exe
3660	maintenanceservice.exe
4740	msdtc.exe
3076	OSE.EXE
2824	PerceptionSimulationService.exe
376	perfhost.exe
1760	locator.exe
4332	SensorDataService.exe
4076	snmptrap.exe
1608	spectrum.exe
3668	ssh-agent.exe
4032	TieringEngineService.exe
3588	AgentService.exe
1012	vds.exe
1928	vssvc.exe
4324	wbengine.exe
2436	WmiApSrv.exe
4972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6deea013a29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a0ccdae89f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f335af89f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d37f01af89f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feb83aaf89f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4f416af89f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016b1d5af89f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001575daaf89f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052edb1af89f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeAuditPrivilege	4028	fxssvc.exe
Token: SeRestorePrivilege	4032	TieringEngineService.exe
Token: SeManageVolumePrivilege	4032	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeBackupPrivilege	4324	wbengine.exe
Token: SeRestorePrivilege	4324	wbengine.exe
Token: SeSecurityPrivilege	4324	wbengine.exe
Token: 33	4972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeDebugPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeDebugPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeDebugPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeDebugPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeDebugPrivilege	1968	2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
Token: SeDebugPrivilege	3196	alg.exe
Token: SeDebugPrivilege	3196	alg.exe
Token: SeDebugPrivilege	3196	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1412	4972	SearchIndexer.exe	115
PID 4972 wrote to memory of 1412	4972	SearchIndexer.exe	115
PID 4972 wrote to memory of 1592	4972	SearchIndexer.exe	116
PID 4972 wrote to memory of 1592	4972	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_d6e7fc0b8441ff553f8f553b10c7956c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1420

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3540

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e32f0e6e24f615fe6a2d86fc567239a9

SHA1
00edae2e3bcdf50cd92df7ae0090cc77f23c97ab

SHA256
44af9220b08ff9ce8344062f5d9b670e498b94e28c2901e4ff24c0d68c915d85

SHA512
7f4e8851b71e5fb2f1b1d009317713f32197ce57f58e71e6f905c5e34fa8da549b7114b2cdcf6f1808ea86a64baf0178076bd1b59db4e15162d341b5453f5721

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6da4a7a53a5fc8bae7226738ba670f75

SHA1
98179d636bd56dbf8ec3352994e953231da4af07

SHA256
1f9e39e8077e0e5a1632b9306e3444d2c4e44c50bd3b1ec2e347ff57df5940a4

SHA512
6e03277b512844a5be7579252cdf749c9c863edfd16872d04d52b89b0747f20d07b3c289fefe7ff7b6827afe38f7700ab2c538db91a240244bda011f0c10f843

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
09bd1eb39ceeb44ce0a932d9725f0713

SHA1
4c2dc2e444cd2d5660fc2c8575f640ef970770cc

SHA256
55ea9dc53ed9f94b07696c65286cd23a6a18bc05623cf6eb10c1f3df85c9862d

SHA512
47cf12f79b081f03b4881919fa294ade21e0623bc7d51404d9eb0899608c20fddd2e8da9cf77776f741c0b1b6238414b66a4fa9413cea0e301883c339a51e844

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6bab6691c81fa47ed414923cd26678b4

SHA1
250e6890121e2de8fffb455900194d71c801179e

SHA256
a3a69f3c44dd0269a354649e7d2daf0ecbcf3c3ba6189bc409cb8c578abdbab5

SHA512
9baca316ffeadc786284821443f6293e87a7acc7d7923fbfc3206e26b22efa9003974357ca6ff0dbdd8644ab4ad093a381e51899dc9349e1e3c4d4bd6c83a4d6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
85bd5480864e42e5c59d39a7011d9391

SHA1
6a1927b72434e8eed94b15effea8e3ff7632ed64

SHA256
f07e23de3bde9306ac633800dc128e677a0dc2d3d67049eaf3f88ee6b7adf8df

SHA512
ce987a738c087eb65ef89ac3f3ee5fb71ef880cf6934b7cc76e8fd87cb027b2b480cbe85940e82174ac6d6faf88e2726a764d07148c691d961eae29c6fa29b1b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1e792c1f7f3d06c17cf1880e026dcf96

SHA1
34345b838dbda334ef472d57c2fb4f57c7c23e8e

SHA256
9b94822feab5fab6b798eeb0cc962d3a4914ad8800a58056ce25d756896587ea

SHA512
c91b8ad5e4320f564079808c1a07587ab286cc56e01a5cd71ea7927a622739611a0fb3d5ccd30ce071ff045456844c597c59d01b160da96b07bac38e72ced45a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
4558817941f55c2d1cb84e48f2129e8e

SHA1
285bb6b52c4d298a4a3b3fce7f3673ef47534a5b

SHA256
f35b7a2e8813a724d5fb5f8397d99fec16de24e21211f90c11a8f97682ce6874

SHA512
55eda311e3fa1210e229581282b25ca49cc26e43124e888b4f017f733353b26f70517940e8e4ae2abd1ba6d1854aee45c73bbec64c3ccd21d2e91e38d20ed2a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
87294cfff0d6a859bb153740b03142ae

SHA1
2f20d93f71f70fa5e988e3204e90cdb5cb6c1078

SHA256
31cf4615c49157e17afa3b073dade74e5f58dc36e1f90bdcdd2f3a00ee2f90a3

SHA512
a5f4002d3988887497faa7c22df1f1a8c794d16f8c58d236bec39cd0b0125c0e8a251d11ba7ac9b48f303bdfeebe2b69bd4266dd80e36d8a82de48272da4933f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e78b8353e64f16b41600c063fe0edf46

SHA1
599459f39755097d25d353db2becc00a6b5a27dd

SHA256
b28b956705a55e0004d8dc6ecf3a87e8dca23eca771f89018638f2e54b5fa781

SHA512
3e74bed7a02c5ddcb146b4f98fd345bd36f3e08bd9d9ce408615d5ac29f9cfde1512390ee12c69b45161865a13b96fed78c2066d7771bbadd3b1b7d125cf2f21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ace8d9f40ae5856873a62dfa2a864d3b

SHA1
d7c3d6cd4e86efd75d123cf68dbeea524d8da864

SHA256
de928d2d6cb5676a3e4f30d372cd3caa2c6439d2cc9a14e4cbc79f05a05ca85c

SHA512
040c66e6cb4205c1fe52e094f040605c5ad83a210f004b0408f2d7ae0275b00c9148a04f8c1065dbe7f7c0375f6bd57aada6594feeb4f40aabfbbfe3ea06e45f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9a25b59edca4d52f267fc56839de07d

SHA1
a3295c656b49aa1f6f353046e620e43e49d294e6

SHA256
2436d1f41ac43cbbfdeefe8db484e9e8c9b5d1be9ba65a52c25b6624cca4c9e3

SHA512
71fb388647d1db689ebc24ce33ea03a203e2f6c627f1b9182807e6d943b1a8680167c99a756989f7de4fd77a3d84680741d324048689390e820454c9228f1a42

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
486588a0bc8136ddb0ab1cabb322ed68

SHA1
ad6225ea6e95ff593ee26301bc6da9150d001656

SHA256
8c3b231139727c09d575830883e3ed7c8ac09dbf2350b9813bc9a7cbd332b567

SHA512
22f2d1d93e5d7582375ba5d487b2b3c05aeb78819b9ac87da42e095dd755cc756144e20f3346bcbc9b63dbeb007f50a5cd179a3a4765d6615a89fbe255f6c027

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
fd8cc240fd11014d9f666139c179adbc

SHA1
f12ee6ce40c31a238bad4a68e2a2feb0bb32fa8b

SHA256
6b59932acece09e631023968af1df76e57edd6b3ae6b4d0a87e0e0229d95e7c9

SHA512
069b29fbde9abec237ba645f12d764a23ef2e56ba302c4f756b36db4089b4329901b1bfead71f4d85d1ab56b12d3ffc3688f22ff60a7c14a0f005e5a9ff62d9a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d135a9d5751a18f2bf675eb6a433c1c2

SHA1
04f67742a985418bad290342e630b5ec75041b49

SHA256
4eaefbf54ac98cdc44a69d50a26207ec98893b08b98dee32b7b6589d708e48af

SHA512
68d6fb28c6a29bb6bc9d71cde896d34dd3bb3bee5a0fbaf2cf769b490978e0f6696a1b32864996aa8d233bafd15fde88eb6b324d2c2606dbc43ff03183a43156

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e11f9647f5dff21e13225775821d58ed

SHA1
d2c80f9b48c33a8aebe84a2cc8da129bba9e9689

SHA256
eab42aae466ea0e58a61f52065c9f0ccb357f163352c446687a57b26dcbdf015

SHA512
8dd1b5ae5bccb66b90c7b34d21f38fcc1c23196b0b21939246648c77efa6be515e5eaedc2aa46933200f069f61e0c2563d2410b90255568567c8069fb280e209

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
60f2bad961084692ee7bedec5d746ccb

SHA1
e8bc18ebf27d7be6343a7aa93548eef82278a917

SHA256
98726bdf40fa6291cb6b55c28c9faca30249a35a26017ac5db9dbb7925b4406a

SHA512
b9004a58c441b8f881868027e1101961709e5f8b7bee645af61ee3c1b0b455e4c8eb9e61591c964ad98e9d4b8493f83988ce623e3d0e96e043845e8a7b75fd00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
996a1b882e9f089d71776c3e2f29b1a9

SHA1
49ad4ddf86aabb0a2ef2119092b4d94b1db44bc1

SHA256
2fa0007ee1c1479b7db087d2b74838200b0bf622c2bd45f79586386d3e564351

SHA512
858093d3ba9ace096a323ea52e029da438ecada54db6f61f9c632042755222ffdeb06d3966814a99be7337f57a2be8c8adc9a573548e9b987c52c05d01e207e3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
fc37ca5c865d8a8f0eca55cdfb04cf83

SHA1
9f826f6a4548bf6a354ff722f0c71d1e6ec62be9

SHA256
317a9451c941b1a47b2b8369784d52169b0aaada5a855593b93a5857d30e1c5e

SHA512
26d74a11be095dcc9c60f211b1710dd1b73dd1304638e8f3b44e4585f460e8ac04b20bb935eba84dc7a6d6630884abd58a746005ad21fcfda0565afccc4ff747

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9d2c2f7023566ffec3139acc1994764c

SHA1
25c73bc00cf48fe82b49c90bbd410c274f5f1e3b

SHA256
f2b3f41b1e0702905a907db6910ab91746653f1a67c268789ba73d230d17203f

SHA512
7809dd42dee54c1d978bdef19c41d037780d0b30604eda07dd9d02d55d617e2e7fa68d08d98fd4dfc8ef10d5ae15be6ee4fcf72e03b4b03f7ee5b096299ed0ff

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e75e6f6d8dc260229a385d0d594ae40c

SHA1
a463c47a6935362772e4be294a981c031433ad32

SHA256
e5cd5b831f65cf230b519f8379c894c4a512fcd5d12f251a95a1d19e1a9df911

SHA512
ad63b038672c09b90ff3f6c54f297a04d18d9a53c0fe7a042a8ef07c24ac774626b28f4478c11cd2bd92974a2d286fe7d7b03ec64e29f4e8460da3524bc16db6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4946838d66c83943ff1076ba56276783

SHA1
76946c096986647b7c9d9945d0708e2341d70cbc

SHA256
48c7d371786405b33b15bc9c8b8ca90d824354f520c4048fc5ba576eeea33189

SHA512
07c79fc6b192871b527dae9cca5b34a309d0f6ab6141c9f467e569d4ab0966fdd2e5da818a76c6c453561a57f5d643b970f5a106744a83359c9f04dff77822b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4432391aa48bfcab0b8d94c6e774da52

SHA1
8e0add3efc08f08d7ba66a7f28a58fd51bbaf2cd

SHA256
1c7bffeb0f3870f60f23274f2f168d903fc8e3553b7be02bd4099701dbcb7cae

SHA512
39bea766fdf2aac2fd23bd5f17718716af113ac2bf2569ef596a35581f50bafbe5b3516f495cc71d9a066f9a8ba0368f1ad79fe822733ba3ca7affb05ffeb477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
33f5696f074ac1ffef2be84e62e75938

SHA1
501e694988111579c53d3a83afd2aa22b6bb3950

SHA256
a04b5ed4ffcbdd87c777d499d86369074e184da4df5fe4fbdce3e1338f963d0d

SHA512
812f02e4681a1e86c4998251e50d3c26dab771abe682ce02c5d7a32a72c6330cc62038935a3ce42bb9d8b5d23adb6869bb52f5677245695bf314ae50e727d480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ad7192222428687a9492846a374a1507

SHA1
84a4990adcb9d2dc4e41a074dad5fb56f2ecd451

SHA256
c674ac37de6b0634aab97051e4d492fc3eb3fd182a7af7da5c1826bd4aeccfe0

SHA512
492748d14eceb06fb45b0c2ea4f1966192ee85d11608ac7a34c8afbf136168cd349e9e8b136773d288ad778f03f9be4b66de0bee45e0a207596554f7e21d3b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7886ce6687b7d0fb82c9fd9291ae8c73

SHA1
6027f81bca79f7639e44029d65316b2a948ff355

SHA256
8b21c708006a94483aee5b1f70de4f7168d6e54e005ada03305d80f94410aa03

SHA512
7d27132c6e38bb673b1926b4386f968123f5c5963958436a9b4bf691850dd706a9ad61978c38bf0b4963a79c5ebe9bbe9c2b6aeebde2f0583f9d98bb33dd0599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
73cf5f115385af74ab64e0f4b4604d88

SHA1
3ab13c9d491aac13ce8c6f843361e077bda6f7a7

SHA256
8c5d223000024f87b2098d2b667cba743bf30fc0e3d3f97da68f25388d1f95f3

SHA512
deae723edbec10cb8d2ed04a97adbf9528b757ab17bb07982c24fa3cbb53382e8f7ece0b6df6bc0891dae18340f1088fa04b3abcf2193ea2b87eecc50ff146d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bb45a51dad3f363665fa75051f2404ac

SHA1
df65a89397cd2eb018e417930b324c69ed656227

SHA256
f7cc2461cef45a8223ed32b5625f75e09af80fa1c88d0f37edd30094548a4cc5

SHA512
74fa7ced2112bd9f717219450c2d259953c5aa938d2af4ba7faf8c5b2096368599f1f95dad8d3d86951e9b93f4dc09adde0682e757d16a95f5017a77bdfa35ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
8ca85c109047dd6940b93ca605bc63a2

SHA1
7091115ba9682e9162a4aa23ac280a0aa0596984

SHA256
28556eb6c8c4b0002318e88839b7bcc42a53609681c9b7d370fa245f79bc6dc9

SHA512
8fdbec174e55dbe65a189e86eb6b1bc558a084879d12f0112fde9e2029af2de0cb37a9fbc42e7836272760f3a51b179284bcd708221590878e60a05f076f1aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3a24e03b5491e875ff0f35cd8ca6e95f

SHA1
b54af240b8fe99319d978614dbb0befb122b1053

SHA256
97de053e0c3fd68712b8fda1ea00cd5c0f68c9a5049f470b5699f61a608ba2ef

SHA512
9f50ff753f44647fd6717e99a1378d5ec655cde80cc8d2446c96b21e35e56896dadc78a4b76e2117821fac68db85ab589f076769d92ad2d8647b3ef6551917d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6ad8b6d80f5dc00fa0104c5f165ce2a7

SHA1
fa5ba688f0ae68ad6cf716c8f2ff0fd9a7c1c2fe

SHA256
f2187f401afb1934f152a225b3458c8a47d229346231de32f952d57eff22d456

SHA512
1ec339d1e25f08eec8620f2cc561745332cdb2a47b2640a57cafd47d789d06b361a12086ec3dd69d5b7ce72409ff0313bf2d5edbb5fe5f51d4152c071291375e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d0140e0ea7fd8aa432bbf2ab0b174bdd

SHA1
6b528f752b0dd237be1cdc0d91f023178c4283db

SHA256
b8eed37aec801d92c02e7c12a17a7ff3137d22035fde7c4d31299a1ad8d0c4f4

SHA512
ee005e005c6a96a40a750dcb209311cc902badef9f0c81dd389e82940be85e48eaf200b1bc4d78f3890a6d8550ccf07435c9254f674ae34a9b3e47d7f60f69c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
422fb61eed434ae7a9eb882d4fc698a6

SHA1
749f6c049e1f28fb2d890e00b819231ea1126888

SHA256
465879050c99ec7c9e4603bcc3db70e59e79e5174c57ed7e95ee3f7706d2f577

SHA512
bcb3f1b91a306343034cc247c94abd890b2b79ed26a1c67c3051ca7ed88e5f5ff502dc935c3b46837eda4e386fa75ff9d2fb3fe408567a0a17ede0ac6cd30dc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f97b8a4d1db2a8377c15c8a684055a51

SHA1
04600e8770322446a6dfdda3688c5e0d413aba5e

SHA256
5b14c079f755785ff3a6e091d69fe76f9035c4444ece2f4ece65f6e0b39fb73e

SHA512
1aaf62fee0577e6efea95563ade8ef83a4c7081f937865c91fee052b9a5437c64f80841837b1172b49ea7d56a7d64acbe3caf9081baa345935aa2c110c7efbd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0ce026efd27120f2616b1cf72caae0d9

SHA1
5466d4f7d4324d5272d42b5b8a0c7c73239c1625

SHA256
c46fa7d3ea27bcb416f1ffcb5ed08a05db164b4218298d811a3ddf793b8cd6ce

SHA512
180b80fc80039453014dab0437de5088dfee21179b6213ab206ffb9b2b22cac41a869f231411e09687037bf6ff56d7cd811bb5915f177538d8bc77898a7f441b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2536c23dd95507c000d285c241522f07

SHA1
b30f41b5e54b9573b76f2973bb96dc7e9902f381

SHA256
aae146e99365f708f18275431979193b2295c342769c4d77244d8bad574b47f1

SHA512
3f0130bd4477766da7dc8a66c6ac89dd7a8a6e780f9b022f38fa13e3879ed56584f4e88b16846d35e5df6ec7418c934646b2aaa2e3929a47bf517442ae10497c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
205f58ecc98a4aaf8a8621584ac95157

SHA1
d3127ee0007f14a0279e307262546cb7ba41292d

SHA256
1da3d95ad2c44e1a84cf3b7c2da8ab903ae1acedb3d979e2c5e6cd4a8533c4a5

SHA512
bd439e250f4a20185b4cfd1b465887b47f41cf0550be9236cdb48b8acebc7c0af5b35a0253ce8b0dc52ff8964e76d9c4f6a3effcce3e915374767ec6be75d448

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f480567f58ccc4f9319963289c34a50a

SHA1
72f8738b100530c9cd9b36a45921f8133d14a245

SHA256
dc477062ef10cf44fa27a9dca21fe47b17d074a95789fe96beefc4b62be6f917

SHA512
9172b6168a49df3d14800a801772aaa86698e2546752998139bc542065d13ea24f90f2709b00b7348a8cfffc1919df917a2c04e0de4cc908cf97bc0e72f45e09

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
3910974ae916a3202126a1f4b200d8f3

SHA1
e87c472f09d4fbc4d4e081976280c3b51195619b

SHA256
0978f84ee83f3d754cdfa673c779fa08f6e685e3be070d7573145e513b7183a1

SHA512
17f0e0f06f6cdba08fa466be4928c317479b6c71868de33061a5e1e041052be35d0294376e67f67fecc7212279e86b2aae778f0cab622f4e93665bd1b541d5dc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a3ef1932c7fa2b0283fcb128ca577f17

SHA1
9f9397b85f7df4197879ce99b10e7d2b08488487

SHA256
88af4fe45cb4b3c45aa2678542632e5699063fffbf8fc832aa5a512a5f5f2c00

SHA512
264e6298bb95504c194416813fa609a8dac41ed333a2c5bf7d1f1ad6b7d5f3fcb77bc82ab025eeaf4175c05f6e6af6823ec589b9bb120122ef75eb6db3c40849

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
841a80b7ea7b42c785ec240cc3693d95

SHA1
6d59aaa3301a1eb392b036a8ca3bdc6e62cf9661

SHA256
4ceb6d49903eb5b2c052020d0cac1884a7079dc5092aa22d6c34116d5eab8ac1

SHA512
6aa94ac1646d885b4eb85f32679349735247a74f16eb0ed3d767fe459fb576a3431cbffda90b21e26308bb50fb1b6c1b7e89bddfb9c9578625d779cac1ce2f66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
4048c482efcf3db757e486c70b4c35f2

SHA1
7175b22b70d0c340ecdbecb1707b3dd96b5342e4

SHA256
f4b707707878a3590053e11b56c7d993c0a31cff2396d5790acd33aed3269a75

SHA512
c0e091b4a714e7060ce8f22916beb4e08057a288014eb4678bed1b2f328ec4f8087fafc83e8902d30da335a508aef5e26c8e7ef85213051af8a02b0b7ab3d348

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
35075b98a8307b02a7a715952b18827e

SHA1
f640a68fb70783731de9977fb94e59c4fa19161b

SHA256
1e1a5d750d8498cc91f567395a5e1d0046cf4cbe0f14a7421f8449471536e15e

SHA512
43876475d6029ae7e04d7e5e91143b3de7a926cd09fe64ac05cf6abe5d82d8a69687732d96c18b651ae8df07e10a0d0a7e0b40c145b91156b0956f798417985d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0d159f92360cf2aa68e04f1db6ba62b1

SHA1
bdc6b8c310cd4ddc599daa67863ff7f70f4b0a37

SHA256
4eda391db184a4a7540125998bd08583e64255c6c23f58062c58c415a6daa4d8

SHA512
565e7c646e0529671f553211150f0e03be51072c524fb70706aa2e8e12999a79ece840b12641860ed92974e0f96d638fa90c89b4a84fb0837d4ee8986ee0a078

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
657072cd406e8a6ae8e04414c8235bfe

SHA1
62c064fc0ae11b01fa189f808803643f1464e0a5

SHA256
a29b908c9774f71e7f91d4e86afb665835b01f75b3e3e988a3148984adb81df4

SHA512
93e50411190212cd171d6d6c00920b93e62fb8ba23179385fa4b9717caca0606768019f949abfd4ff83c4eeaaa1d71bc925e7e98a929c57edf26464b92f119f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
2ba735e8744fd1f352d1bf58491c9f38

SHA1
c35024b85343d3e3276711b87cc0f75af3ce2128

SHA256
92cc17029bcfa6a04116b08fd1bf85ce183b2caa1d5f3204a70434c452abbd85

SHA512
f63a9301078717c20a9626a8613efe81d8f919070c0ad3888a999dff111acfaca45199d11063e5c5589eb979fcff37ad7ec4a246b93e9038d9b63bccbcdcaf2f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c39b568d8e4cc2220e94fe4e6c4e7672

SHA1
68109ed1c8c6f756ade58639644799953834a122

SHA256
c05bdbd9ea05ffc21747b5d5737562b3ea4b19e052ce794b6f0c0a4b0c65a0cb

SHA512
8c1a360563ce319fd54b06ada4a935e131f63633bf900a1c57867175b63b8de8095833e624c1d433a49376be0001baa23186d6f1c0f57b68e775292707653253

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4440df913b3f76f48df94e71e5082a83

SHA1
5cb481a3a2a22e12bc1f1431cc5f0f4b4b6a2c08

SHA256
97deb21468ee6826bcb469bc95e610208783dfcba3327a1124335b485bafdf65

SHA512
4c169dc5e14b5f3d9f2d39911b91b9e2947aecfcdc5267f00b61f17b9a68ac5ddf012022cf32b47aaaf5a10fa9aa2a974ee3dc6d68ebc251e6e58b7c4b500a7d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9ebca7a1e47126ae557ec7513457ef25

SHA1
30acb2bca147d83e699a70559cae1429a0384380

SHA256
650841520dfae573b4968f5a3cdeda8686388d0d49ce099d1b95b15740a13b11

SHA512
f2cb9b4e0c49888628a236df9c89da06bf65a47f42534cda3ed75e1c6387c3aefaa415ad7b0faa5314095ef8d899bfcc525161e74fba6a6151edeabf3cc02919

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
cebb4839120120781c710f17ab9bdb15

SHA1
91e8925d595b4a9343f9d55a277a35c77673ba0d

SHA256
a29913c24bc2371f8e2473a4a9ec0d298ce90c6b3f4af615d3ceed57adf3ee6d

SHA512
cce0db454d1064517822303218d6432b4265606636ddfd39eb0daca6ddf4287a3a3c2ff1bbdcd48e22c72a113bdf248b5a696384de159dec1288c32c3a6af0f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
16690430e2d0982a213ea3fb9ae56c45

SHA1
19c70339fdc1e8e1934eb8b04a18186c80c2163e

SHA256
ed44c712488535e78060c89203e1a13b13f13e7e313fdff736200acfe0d626dd

SHA512
f87350a1fc0a39fc9aca54e887b35bfc07a3d28ab10630924d1076386b49a085ae14e0097cab7767ae3d7a2fae89288ec1be43aeda3d7ccce838a840b52d5085

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0cda76c20d3ab0464acb502f74e5b607

SHA1
2b75eda71cb7e6c80abec3751efddaae0ba53e54

SHA256
823b1425eb4014863a972878f3ce2d153d916d21b9d3860c5d13c891908bc65f

SHA512
8fbb5d996fdc548fc388790fbdb8327c2750a329aa3dd940f8d4bb5d481445541c28858949ed1c0e674646004eaebcf49ff0ec8c900cabf0f2a3f97804ae8d8d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6d29fd5b07dfffc89b610cc95c641212

SHA1
1a0bfb4616dc8fe562ba01767798d505e0cab71a

SHA256
c48f7f493cabca4c320d0cc72b695e81ddbc93689497dbf2a66ab1072c0eca82

SHA512
53358eb15c0fde16fdf330363043897eec89ca4d643f864ace3a66aed90d03d8248e3e4dc5e4cb68f42eb7a0258057786dcc4669ada2682e34a6152de7e5e144

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bb055342a6775c8f216335c6f1998e99

SHA1
b8cb01ce2fbcbe93a612c86d6f86ba5dc48a8b58

SHA256
f7fc716d939bb0a544ce2f3eab3e63e02048a055d3e046e16f874fa5939d6403

SHA512
731a5abac6e4d19647cfec8dabff48244e442d0f091d84a7186d6e1ff2d0562ef68a6f670a2bd878b699df3096cd88cd4fe497bfa20799f3edcab842e424cb94

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
10e0e92811a1802309bd443416bebb39

SHA1
79e0d789d77fec99b246bd57f6ca026505560236

SHA256
ecc4f43aa8be2877f5f5a0ce450bdb7369821ba40f7370772b525c48b0bfbc24

SHA512
bb09acc4e8dfe4e7891ab22df498ee8e04e1ce567609eda69362864897836ecd26f36b583268bc0f64a232962a247c7e36a72db3c115bb5446e731a4471ad3b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
bca9000e054ba046a01bc43ca6ae3ba8

SHA1
ac92ec407497c14f423f95004309dc1f3fcfaaf0

SHA256
1f8c044359bad217128f6ab495bc5b2f9cadb84e5b511c46f1dfcf6a3975199c

SHA512
a012a7990aeb12a07046259943c1c7973101c58a53452715d2951ee54d4fc760fd5aaa4adf0b9d61470f32f5b59149963d7b7e3352ef57e9018d570711f35fe5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e9111dab4f23bc2de5e857a572ef0ff6

SHA1
a78502c4b13a596aa8dbd41b648863f2aab788e1

SHA256
34adb9e6df4f1a0bbaa0815f17e741c1b32c13f25fc85d855d1c3359fc45c14d

SHA512
f650e284b622bb1faf97af516441bb3da6dc9023956054537144ddd54ab7868102c192259ac422c4c141dd77a4f5db8d5663bbec755172b55bd5136bb457bfed

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
925b41faae8d700de946d0a7377034d5

SHA1
ae4418443f6420a759af39c920bfa1ba973fc077

SHA256
6c54b80e5ddfc5ca37c3414da81c24e78f0f39bb7a35f4e3898f14e15b43d50d

SHA512
9aa81c8557ba478b356ab84a0c52463315a14239e8d80d96b18a579bfb9eb6f7d321ed3718127e85a9fc7c5c166378b317ab3444ce70d750200eca13d91231e1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
d9980e061615234dc0b36c568ab501b5

SHA1
cbfadda890c1b97e20f41fb65d5daacf02ab4486

SHA256
6493b5d2f915fff3fb80ddf098a62d98ca391279cbf2948753dab9b81ff2c204

SHA512
f7b61b9910f9ed61501baa260eaca190a47316c3b525f04155d83f4f96bf8520c2db87ab1aa16c8a50a1e1e6c4501cebd09c9ef502c80129747cd10525085494

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
aaf3b7cef656e2777b5c232275c4c038

SHA1
62283d7cdedaac18b40bf9369cf5bf965a581473

SHA256
0071706b8e953ecc3a413d256360957e45ba41d81b75fe3a889c9658469d4839

SHA512
7a32b5573fcedd98f65d1d91708f09ef942eeb200ba31373d3ec76185152fbd7e6057a38af8427c0c885145d30d518ae57f3e74a3677507a2cd35a5de5a4db92

Download Submit
memory/376-267-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/376-129-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1012-508-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1012-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1420-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1420-197-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1420-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1420-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-379-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1608-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1760-148-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1928-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1928-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1968-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1968-1-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/1968-6-0x0000000000C50000-0x0000000000CB6000-memory.dmp

Filesize
408KB

Download
memory/1968-75-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2296-185-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2296-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2296-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2296-49-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2436-268-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2436-599-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2824-118-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2824-247-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2996-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2996-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2996-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3076-112-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3076-235-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3196-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3196-20-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3196-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3196-91-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3588-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3660-76-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3660-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3660-77-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3660-83-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3660-87-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3668-464-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3668-186-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4028-61-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4028-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4028-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4028-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4028-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4032-206-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4032-472-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4076-181-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4324-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4324-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4332-179-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4332-597-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4740-92-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4740-93-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4740-223-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4972-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4972-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download