821972a1e0b3e6f308dcd52228ad238650b6b5acf9176e738def43604efd3ccc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Size

1.3MB
MD5

260df35ef3e4174b0dc96a36d38eac47
SHA1

21803bf55fea62058a0389914250a8e81c5ff893
SHA256

821972a1e0b3e6f308dcd52228ad238650b6b5acf9176e738def43604efd3ccc
SHA512

e42cfa94d9f8943f9dedb715005ef0ede74115c1f974eadac6d262c9d336df3ea1418930673f5f8c45cdb2abfdde96c80f3a08c267b94dd7073202d4d2dd3365
SSDEEP

12288:9tOw6BaaMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:n6BMSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
1264	alg.exe
1888	DiagnosticsHub.StandardCollector.Service.exe
4904	MicrosoftEdgeUpdate.exe
3196	MicrosoftEdgeUpdate.exe
1992	fxssvc.exe
4340	elevation_service.exe
2944	elevation_service.exe
2416	maintenanceservice.exe
1192	msdtc.exe
2812	OSE.EXE
4956	PerceptionSimulationService.exe
3012	perfhost.exe
4212	locator.exe
2768	SensorDataService.exe
4664	snmptrap.exe
4636	spectrum.exe
4972	ssh-agent.exe
4088	TieringEngineService.exe
4404	AgentService.exe
2920	vds.exe
4268	vssvc.exe
4124	wbengine.exe
4708	WmiApSrv.exe
2320	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cc3622a4199060bb.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_88937\java.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0bea0c5e681db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d15d7fc5e681db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ce104c6e681db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bd475c5e681db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fce3c6c5e681db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000716041c5e681db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019bdbfc5e681db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeAuditPrivilege	1992	fxssvc.exe
Token: SeRestorePrivilege	4088	TieringEngineService.exe
Token: SeManageVolumePrivilege	4088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4404	AgentService.exe
Token: SeBackupPrivilege	4268	vssvc.exe
Token: SeRestorePrivilege	4268	vssvc.exe
Token: SeAuditPrivilege	4268	vssvc.exe
Token: SeBackupPrivilege	4124	wbengine.exe
Token: SeRestorePrivilege	4124	wbengine.exe
Token: SeSecurityPrivilege	4124	wbengine.exe
Token: 33	2320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeDebugPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeDebugPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeDebugPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeDebugPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeDebugPrivilege	1496	2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
Token: SeDebugPrivilege	1264	alg.exe
Token: SeDebugPrivilege	1264	alg.exe
Token: SeDebugPrivilege	1264	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3196	4904	MicrosoftEdgeUpdate.exe	86
PID 4904 wrote to memory of 3196	4904	MicrosoftEdgeUpdate.exe	86
PID 4904 wrote to memory of 3196	4904	MicrosoftEdgeUpdate.exe	86
PID 2320 wrote to memory of 1360	2320	SearchIndexer.exe	112
PID 2320 wrote to memory of 1360	2320	SearchIndexer.exe	112
PID 2320 wrote to memory of 772	2320	SearchIndexer.exe	113
PID 2320 wrote to memory of 772	2320	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_260df35ef3e4174b0dc96a36d38eac47_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1192

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4908

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
1.3MB

MD5
c5fb1f99bb4cec4479fb8f95423b3aa8

SHA1
3690e6d764a4981b2391e052baea65e3e642c1fa

SHA256
39668d9fc15ab0cd8ae06fccb42466e1a4f79763fcf18e5c48128c5557b09b49

SHA512
aba39c6ab26e8b552af5295d59d12020ec60dd78be2f35cdbb080fa8a38af8458a1d05bd5399ab68a1ef37cbc16c6aaebd2ce563c1dd388bdd7139d0c2808178

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9fc5c0ec8f9a0c290af109934a919fef

SHA1
3814e211ce4749f56af6a5bdcc2ca96bd3fa1ad1

SHA256
55ab13d900cb070e13bc15e53e4b72b0ba4cdb4148dd34453e65f2b936324a1f

SHA512
1529ed06cecf682c15c42c6519f3de6b791af0fb7ed219cfe350d29223fda6063b6a2d4a8f9fab1e432ced9eb3290095457c5e8e3e0f041b6f8e18425584e65a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d6601adc8a45a080b34f8c9872ccf1a2

SHA1
9a17469b8a605c4a1c62281cc4926f67933c625c

SHA256
f6e29f80fb2f5d318860f050bc35ebc49f3d1501283b6694bfde4d8fd2c32ce0

SHA512
ff2dfb24d145387ffcd087858369c64faee75ca4cc190db84631e4fda8983e38554c8c59dc428a3c88bce3a4a2d25d823290f7ce61bd39b9f34302787fd079a9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e4769000bf74e83daa5eceadb2607ad5

SHA1
5df086aa20a3edcaf6a0155fcc159d43a72aca71

SHA256
6afb30f63c2d9267b370242d9e2fabec33520ed675b5bae71070920d688d8fef

SHA512
22bb2918a6e9d28fbe29b7db29d035442ecb225dbdf67d79e6dbef3f3a0aa84f402866c752758ae9a44091d77566cfe9906518e17ed79f9d8a485f6bfc7e0e31

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5e2219dec7502bf868e298fb3f4248e5

SHA1
3dfd4f5ff852451ba54f01bebe64c12a487a1e2a

SHA256
202f15b79b11779e68caf34358d57d2a7685252d25c4e0b751564083a9993932

SHA512
4de8947c8df0ffee4256adcb309a0eb00fd1a72f18053d93ff021137f6942718b42fda212353a3b08751f8dba45e15f5f165f76577c836bb46ceb43f0d6ec1ba

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7e5f2816fdc66e14b34356f7bc751b8

SHA1
ead4ba10b2d3ece12acd263820f66b1adc111538

SHA256
af6db1070d437bae3b1ff7f21dd58592477df097399230d31fce41729b5bb1c0

SHA512
ad2d523cd0fa39928eab9871b3c6aa44c6ae3439b792e1c7c18a977dd5510f08b21b54fc6a9690eddab3f1c4b62a15ae553ee516e416ae61b6ce5e672fc3902b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c5ff7efbf42c2058643f8428f4b484be

SHA1
4dfc7c7df26cbaac7ee0f6e5945c9cdb0cdde694

SHA256
03d987420c8e98dca6c0bcd527db4fe9e4c953548d71b023335e48c0ed2fbda4

SHA512
b73647cf941e1564b51870527193fb6ac75d87e4cc3ee1ac701a5d7a98cadc4b67de17c5e8b4d8b1ee606b06de8203978473c81468ada0428539a173d862322a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
638be4ad8f2a4323d873ac5e9007e695

SHA1
7d5940c6ecb047e9463e0090ae5dbe7a58625caa

SHA256
73f835b920e571773dbbd2c6a6f9a793b534871ea7678cdc26256deca72f0b93

SHA512
96d3aa7d7924edb6f780ca9ce233b57ca01245b1274c9b53f6aa60bcdffb9c0e734dc3ea764d2dbc02cff15b5ac8229e8dbe0322439545735f106cbbd0a65fe0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6bd234d212abcdb951a2f42c248a2a3a

SHA1
5eba7b1af0575ff2150e8eaafa5c29640f43f6d3

SHA256
f3463ca9ecce266d752a8e9d570ab3fd7a06e0ea0b9bf8743a9c22871279c705

SHA512
b2f8403f467dd3308cec3d2f3b0e99af5dc16c9f9ddcb6e385dfef9596cad40f893ce7a3f6dc349a82423db226167dd36e74e3036db8fc8014c34b297d92442f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
04e129d3b34d198aa2bb198056a750aa

SHA1
c0ee1531deee4afbea18753f7a6727e3681899cf

SHA256
a0b70e0b3354670469f632439d4329e6ad9398be252c3993dbc577b7f7d34ead

SHA512
5416b21078b29b01d27913630d31ccc2957fdb6b143115279266439ed7902e1710d5b0103223336a0260eb514863f69af333280676ef5bb44c25abc98f6c74da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea8a81501d37f426ab300584c341c615

SHA1
56e0a77666e11eabc2bf284072a2068325f65ebf

SHA256
d267d3bf7984e5c515ab55d93544d0073c3c1d53c9471b27dc19ad9650245da3

SHA512
75fbe13572ef5250472fa29b4142cf61860612175faf532897e4072422a2c06d5234ae466c1a886a4a3ac5288ffc18f903c038d859e1bdadceb5722366a0eb60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ffc7fe13f9ba1bdd0024dd12bbce6bef

SHA1
06b2df602fd4246c993b0aea4f47f7db0c0b761e

SHA256
7c0636ad34ee2dac8a3332fc073c7021144559a9e2327d3436849e09f3acd94b

SHA512
3a236078b52a7bef0907a96ed2d0c210c11d8218bc6ec0a711f64369f1b2ac9e6ddd5d8af1b961f02f2c73cfa9f0fef43fe94e85e2152b90c53137e52c29e04e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
44d105bf43fe912e90d78343f317132a

SHA1
aa266d9b307495fb4157997d444db6d11e1a58ec

SHA256
f04ca78a8e3569237d04ca63229d5e6a60a53fa0e927bc6ff02b772f91b564ec

SHA512
986c1b50e6b782d9b8c6c3baddf9536f54a0f90e6827e003d55c293a34b4c5a227bdecce53f0547bd62754fddc18c923e25059ae049a4afe6269d5d3e418a3e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7485c387ce00143db6f15dc11e2b625f

SHA1
fd7d32dc8187382f58dda78879bd49a0c484e8c7

SHA256
00fcde24517439b314346a5530148bda5366aa706987c0d514971bc1fe12400c

SHA512
863408088b57ae825206ea01c505f22eee894aad73f19a7f20502f1b1dbe281b1a5115e2d13db26a06e8bef1981dff76eb869da1a78ab068f6ec0bd198f0d6e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
1146a0fd80837eddd771fe3461c34ab1

SHA1
e79ec0277fd34c07363d5c0bd7e5787b60be6679

SHA256
11361c2c8ab648981205169a1b059161448ed079d9613de5aee0eaaeaf6fd747

SHA512
ddc814816041788ce282cda2a8397568b8ca062cd3726c86289fce99da7215b50af3a1ef7c142e6660aab116f7db3a055295657ee41999bc609ad5bf779cde54

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
14ca1f7de84e23ea9277764c5e4ee4dd

SHA1
571cf1c51404104bb4345115b773c37273e8aa63

SHA256
c96a84f2967fc13ab8a2f0c536ff3b215c734315d3b79bd8af4d75f5897517a8

SHA512
60ef17a8fd17af5268be9a652f67624f097bfe0364a1b3569351cd2855c05432f2479381875358299c9f1b526f3217b53c4afa605fa9dee52a396a278f300146

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
fc00fcb42163b795111216f03b2d879b

SHA1
9e800d8423688134d2d96b8f0187cdeea8991613

SHA256
3f7639c75b3807ecf1704a4fb4312677458cf4b0208550c8d2eadb09cc27a97e

SHA512
dc27bed3d41084cb841fc9483d277a2bba137b3c7f3a4cac74f60855d95fcf2bac7a19ca45410e3a2702d4989a476787feebec16f5f71132a018d90f62d1cc0a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
acb40ee67a022de76bb655cd55ed374a

SHA1
85d8ced279ff368c5b44569863568d527e611fd1

SHA256
4bb1294e0702a033268e237890b46b2e515a202755fef05d6c41a8ae3dd47c3c

SHA512
049d307119fa098059669ca18af810867b0389e3b1a3807c3582c523510e2a9181b271e27fc4548287487a9a2651c5288f67408039db0a9d8512204d40650dce

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b330a3d4b19611b252c1735f6f0c5c4b

SHA1
fe6c25a29920e1fd367a4aa7d615db4cc7884fbd

SHA256
c41eeee17908942a0c84113ab00a25b9516f4d333e67b8b2629e95eb25b5c3c8

SHA512
a13f30db412b5deff495ab815226e3132e4cb917c9be404b613b5088fc6f43bb9d1986339408b63d3cf0a59d6c5647a21d393536d14369440ed8768a30fe2da6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c19939526f96cea1804c67a53993d328

SHA1
a9aaad4792e5cc9db95605848932260c43698fe1

SHA256
1fa1050d2ab239283bb9a6ca6f4503777c616bd4be5dbae23150df185dcdc1e5

SHA512
33cb4ef49ef0d8b3378bcbaa51e74834938db04eec738a222090958398eccaa16a1cab99452e74b8a8d5242b81ecb7d856fe50536a437c32a99fd8f074ae7552

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2143103f80292f326e1387cfb6906c2a

SHA1
e30b2f7021dd3237540cd03edb97d1cc0916bd52

SHA256
7fb1bec4aa830736d7c48bafa63d2e6eccd566ed6c2f96bbf6ce92ba39453f7c

SHA512
25ddff394174720cd1cb710f904af1ade0fb37873872b8f70f8e6af5f8e61568e3676ed186e4d131e9ea3d08f4411f988ce966e7334d928b28283d759c856ce3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
88239a150922726b0cc97b5a10c01cab

SHA1
e2c07660eafba23847c77d709bee5bac3ef5c602

SHA256
03d21dac995a9c12f9cefbf402e45e589c956ed69f5fdf810cbf02263c703c6d

SHA512
1ab413da346ddc788439ca9af1c76d3c22d6dc2b8fbe6892a4d4513632100c0c884541f0b8f985fd60e3154791736a85f5ccccbb9e1941a22b9e8c76e419bcd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4d035c137ee4a075505a6ea9edf12763

SHA1
53470ba2bca7d8857eabd7c9c700ebf6e8ee6317

SHA256
f8a2b112e93385018e4a266ec884f958cddfe057551309d5926b4cf7dff93112

SHA512
3f2d8d2eb4d34baa566027b73987569ac9104eddc8e142c9ba9df2bf65389ce1457a431feadb24c5acba03a0af1ea908fef2413f7775cf68df3ae356a3b821a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b713d544ad394adff0a9618f88a3b1b1

SHA1
5bbfe7f1aaa5a3c5e32c8143781c0b67527e2b99

SHA256
de1524774729f4f7e7153d91d5a5a6722b3c29ffc542167c5a87ce6c3da83d63

SHA512
5ec40c464d49551652e097ad319220287f61b7c6dbd7d580783dc3154b1ad01d0787f84fa608d1c884de44743fb4c48a3b7ee99287672c698909899bb4575a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d22ce8f5ab3d49b371a2e78543d1c3c3

SHA1
98bd21e25ae110e6eb71bfcb419818a697bc786f

SHA256
374ec29bd33d1591e610939b0180d3fe6670ae11e4b9caaa9a9662245d70ce6c

SHA512
6a03cdb922ddf1d316927106e207a4d89317bea9ee4868d3f902a1d509aa8395cc5208b28847b0e45d9aa37c909edaef22b8baf62c4fb392c311e9cc51ce254c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6d516e337b2a04769c4bfe915b7a249f

SHA1
880c4c6e7e6913708736d5e4252b1e3a42929b95

SHA256
8ffc0a6e9e21aa5d2f8e768118092ad7bfe22b8db48114283eb8711a6e9f82d0

SHA512
8d0e1170a987d616bca1996a6dece3606144d6b00637119f1c5ef3740ec3892535d54a6199826d30ec20d65ea31d6abfce181e9505dc4ea1d47d54561809d4c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e0f52ead9edaa2a2c55bdabe446e0c53

SHA1
65189bca60848222312de57a77766878f2a7ee4c

SHA256
dc86189354b3397a9675319678bf96660c177a2493d09dc2e4dcd977f30b4b98

SHA512
2164de042352a6de66c57c0862920a7007d57c5aa9375a7b76163a3090b25215ba8922a80cbab067f1d35f9cb07de88b2610694a430e080411c4f8e49fb435ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8cba610cd98b21b58c940fd65a94b6cb

SHA1
bd43af6521f9f293dda483970be8248555dbcec2

SHA256
9fafd1ebda7daba78907480b5479414badbfbc85b2df696e5078449b89c7f730

SHA512
75b9fd67d6a8d139d5feab99ffade65228d1fdad316abaf4da3f4d63c8b0641cdebc5275f09779b7965966cbc550e91d25517ffc766ba72618f2478fc1f9d269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6df0aa0ff0735a51b2b2173d913623d0

SHA1
5b47e2c9f8370fa9945c3c0d23f58a1e67433599

SHA256
ae2b3b3291bf3dbfa7d73e95353b9eb1502b09931b752332f2b08cbdd554733c

SHA512
02f7434a3b220f2146d9ef518c70d37a1922f6a8589d9bbe3a57bb1494ed4732c34c27dacc32db97eae51a8de7a3cdef0e65e5b06ddc5c0494b96422f3e6f9cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
01fd0ffd6042fa41e6cc0509f954621b

SHA1
b458dab0dd5bfe54ddae0aae5774e874b170f7eb

SHA256
39381836ee0b0b6152850ac7a9d973551c84d54ba70764d98fd7ae555e59f131

SHA512
5e213e96dd84b07d635cb2b13dda2eb4130045f6f51a96d86bf4f35b71dc3d297034f91aaf71e0c71af5b9f8aa15c70a1b5fd394ae8cfd1a0d5ad88c4a1dd972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
cb1b0b61ecd0f78f716c3c1e5660fc80

SHA1
2c552a4c877ad033031c814fb6bc817da351123e

SHA256
bfc113689f89d78a9fc8715f3b55671646f1a5bb5f55551428fab0ad46cee1a6

SHA512
6bcf63ff04b330e343134692d894eb7d4e6b38cf777fd076a64ffbfbb1c46a113bb7584bc55bfea1d67289947da838e0ed1bcbd820153671ce3b6e9f9ece6d91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
189e21a05b54036db2d9dd23487141c0

SHA1
5e9a18a4e341716bb611cb278a8c4517ef24bf6e

SHA256
8b372b95a6d64b9b3edc8c5f4134debba7c43eb11aff6d4b0d5082bd47caa552

SHA512
60dc891df607a997519022a8e914e34c249adb2f5328115b8dd733398679e7f12bf7f796f7661d90ac57bd82163b2ff332e00fc3dd7dc092abc7a08cf3025b36

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6128134be3038e15f1fbe3fc2cdd7768

SHA1
52d11d018dadaa75821de0c696eee8b86e2d74ca

SHA256
c6687bcfe73db464e4b5ea1e656eb7c3f7f1fbec0a4c51f6a981d667e9c271d5

SHA512
19db4c7a459feb29904e067c1329ce7dcfc8b7754ac4b80860e35a432e4bddcbd4741c7191039bd97e8c9ab07f7b744468b0b1a37c7736f6871950c23eea89f9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e94e306e4565840333b74091c4603602

SHA1
dd63885bfa8c885a36a2265f567bbe7096155046

SHA256
6dc6f71701eeac1dea8687f0316855e1ad5334e483b9c696b335fb0637d3b1bb

SHA512
6f7d9d98b61f7b27f0510db90f3a2fef4186edf03912d525d8b4e00b8582b1fcb15596a86634fa00331fd0e37efe4677d64429213d10e5db1911df34d8ab3380

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
373KB

MD5
7f00677b588ab4cf5a5bfa6604bd3bf5

SHA1
6f33f12cf5703f548ac7c900f969e993b9026134

SHA256
85d1f4740ad44d679dc500259185c0fa4ceb72e1175706b05ed07079b906462a

SHA512
ba3138539e714ec18cac970481d2f43ba4a808b8e1bc6945831117cdeabf91b5027e7199ffd317056683d80397def59d3174e4ffc41ae2a6dd1d3917c71ffd47

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a1655bc1667eb39754e50b0f68648ca8

SHA1
c1173a1c0c9a45b27e71fd581ea47d92faf7b4a0

SHA256
1fff10b4e2e07c43f29594b27e6266740edaad70bd81ddd83c91b6320629b694

SHA512
43a8096fde616412c40c61cf48f3006701d195a322fbd4f92072941f82d147d9e25450043a758ef791862ba5e8219a4da6d09675fc91bc4bd60e0cb463197a7e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ade31f1b99801252f70957802d550c6e

SHA1
3f20ca0d425b52bd1f3ffa258777ab2ea855f929

SHA256
75e06866be0c40537b68bd9e8adb74139b32d8dfac94d00181c984acf99074b6

SHA512
fd4cae0075173a44a2e593373d380c33a5c58d81acb7f631fa64a13b0a20b662a14820597aeecb0c86211f67d4f0b99ff3a302b852cc26361eb3456f3aaf8dd5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e072d0222ad6269d834bdb0967c7bfcf

SHA1
8d615267efbd3a7fa2856cb914f80f48485302f3

SHA256
3d5da8a65b3914c77670aa3f2b4dad27aceab78a5c78f2653b7bdd6f9b832760

SHA512
0383f23e6044d162d2851c3be0f15b5e12c93b61f8c96b12975b6bd2851479960d00b091b80a004320cf83aacd382a1e4b220c20db0d17369cdb97cdde697cb9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bf505a0637beccaa3d8094e8ceadbc65

SHA1
662bc177bec80dcd9a38810cc27d32a8a4b74597

SHA256
82fe4964b0c194fd34ce30d6b9d7c3301f5bc9b5e25656fd3bd263d1b36fb3d3

SHA512
3100994548c2a8ad800750e21528e8d58f6e26db6d84481921b7223025503266ee0e987e63d04bf42f989f0caba4e431985d7bf1c3b866f73b730fc0eae1a530

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
670b095db37f3946bb8f76757257e4c1

SHA1
71a37de831330cd3d24478e6dbe4b3e57b60bbab

SHA256
7787f22d990d5a3b97feb7718ecca167525e80eede7dadc46244db04cbaa941f

SHA512
915b4c9b002c96c4a2588390fdb939d207ac7da177f660d65e50cee62d3afb6ed7c40fbea603101fcc8f9efc98ec8ecd0a9ab1dcf6b7061cf49b25e48dbdf53e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
08d83b573b2b16879871120df8150b0a

SHA1
de924d3dcd5b5389d21d754b8379ece8a9870a9a

SHA256
8bd1962849c833c9407e7d2715bb55678f5e09a4fa960191d9ff4c0fb7bd4b5a

SHA512
1e8ec27ef4fdbbd9c8561652cbeaf2c5ffa57a25b04798a09218049e496de9bde8f2a40101f55b4ca8a38090211464b4e840cced63d541f39552b063b15f673a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
944b28f5f4a44e507142235656a806f1

SHA1
cd636c5214a223f87744e87e0f92f0dca8e4bfd2

SHA256
75bc78d46f65dfeaf8c071c88cbad3498e2ec0943a84ea6cabb04520d9f319e8

SHA512
e6754f7288919eed64f1fcb0e35067616d5e720664cccd435874d2af6b3f535b219ed135229de9af505ed8874174f89914a5d2db8114038568bf786e25f505e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bb4bb1cacbccf82247816f74ad9c0299

SHA1
6a828fe5fcd6a82448d32535fc61af4a7247c203

SHA256
7d131b38bbb2af002debe283e3c8fd2e06a838eb92adcc43a5a8e41cb0988334

SHA512
a766ff77ee259f6e5868950391b338b2ea13210a17048d78da97e1bdd4429650af896150ba777087a8ee5efc0dc58a81f9b3a392ff980319b2ddf802907eef0a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1c184023ba30ecd0329d173a208495b2

SHA1
fa8ce26b2dd2851f8481ea4666254911ba762324

SHA256
cd01e9095be2dff6248f728ab4c1d2615f9e979fb28b522e52988919849e0d14

SHA512
13540301b7f23f42b03f15d9e9e76b85618d5094ea7fae3fa5b6bbab6a1f655ffe9f1dd00445517f231474a9b22fb9ebf7bcfd0d326ab62d813e12dd347f0fa5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
93133a6cd869436399ee9549a24c1f93

SHA1
7b0bfd72d6a3ec4da0ac508d57f84f3e34860edd

SHA256
2a937818f976dc120f62c1c4295b45da6a1e9e281ca41b5592b84fb97d54f50c

SHA512
9cc4219358efc12528e008a5bcbdd425a2e8c3b64c9c2f1df1183bbfcb8707a5f363af0889d10f9d62f5a1f8224c1e14abbb66ac7292d09653f9d81884a7da90

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
70cf8bc25902dce75145ac9b6ea9a882

SHA1
a33bf6e436703320bb82b41b93b4e7f0d51b2feb

SHA256
62bc5256df7ca7cd50678b7816739281bbdf59d24898694b3d51eb6cd7abcba9

SHA512
a88b5fe3070d1e694256b69627c24fd22e1c979db5c826cfe18b2e170290db2dece4185e5e8169ee660889d1e679460c9ff450e0caae478e7810f3ce2308aa63

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1e98de5d8a7ea014fdb926962c45e1e6

SHA1
f8db62d74e47be5ed000219322a45ef6f165fc67

SHA256
c14f1ecfdfa437b0ed96271f80a78c7ca10b14f6ace18ab561677e7a078748a5

SHA512
54dd5c085a1d057a6e78362d4029d33763dc9358f315f3e2710bb1c8565d69e120e475fce3cb046daaa9511fff694918950b8f50529c1210340c518568069e16

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ab6a5398ee9e16eb5a7951865587bd94

SHA1
da13a2542b6be8bb5521d7420d608b46eabce1e8

SHA256
7c0c55b193304aeb021537f87f754848adb05b10a4c774a18025728842a93c43

SHA512
02f67a2c42f2dc0ddca6f47a6b727bbd8e4f278893997aa5fc690ae5a85f3fa9480dd8c79e67001c117528b8b0a5d5cede2aeb78d87f401f7be31a7fccc287fe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4c8bdc2ed0fcb260139e4fb43c52d2b5

SHA1
7c51c94b58f6cd095452e4692cf8186458d15472

SHA256
b516532bf9009ebf99d87ec19e115ad80bacb8bffee777670441cdfa9e46265c

SHA512
8d151f3892978f9095209bd1a1955896fbd1a5653e2fba579d8a18982848487a6e3fc036a6b563e67ad37ebb999903bd5cda2daceeeeea3b49aa470a6ad63397

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f0876e30657ab5dc750fb843f70c4511

SHA1
25366f5d1fbb68056b9cbbe20825abce5da0151d

SHA256
c81768de3dcb0ad3b3fe026a4b29b74768474ce289af93114a39c46b99189818

SHA512
c22e1e9732e4e469d3ca94e69d2942471e34f7b0eb1ace366d59a4eae9fe457668c5ec2f66e66d1bc9bfa25eb7dde82eff91c9a3ea3ade2dfe2f54df4892225d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
240319a5e4fbd9828b0409bd86f8c90e

SHA1
8daf3e44cd48094ebf4eb76407b7df4e0d0871b5

SHA256
8a165c61c3f0e465d78e8c42b8eb5c0617e6ea5745c5949e323a80ab75970e56

SHA512
2ba919cf73853082fff154ddfbcd5bd83f15c3e603b4f585be084d1c9aea1d8ad6951312424969f254e80d00c044483ae76780100722f76b140b0241b31f3947

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
62a1d3580f615924f62ab0b86784ee0e

SHA1
4273ad6e77ab8f88c0aae739c40efb75a336547f

SHA256
577fc1d54eaba76cfde5d530dcefe2b756882df12939218d2c84498646a2b48b

SHA512
ea6f54e4d081b32a69241fc7d586c903230dc1470c6f9ddd67729dbb7c742d358544b2b7251696eebc5ab133797e7f0c5dca617c28f20ad2b2cd47343c651e3b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d173a71ba82f9fb62de4a6ac2542f6eb

SHA1
0e2152340e3a15548b75c593fb593c47e73c8d30

SHA256
a731ef715f995322bcee3ae01794022a5f1ec236a3966ed21d9a2e6617cd77a5

SHA512
fa8113627727af2fb9ef23329d4d3789a0e133f7dd8fc24ba7cbfa518f5f8e2b00ff68b1b4c93491498d14a997e5f7658e87471a501a7866952a49d8e2606ffa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a3db1098ff8bb1a8932d6d020f645a0

SHA1
dffde56116dd0e70c5979a17315748855529dc87

SHA256
1eb417472ac24951b6a0ef370d9e391eacd7770b20584364baa22721bbbf443b

SHA512
4063f8257078db6942be68d66f0903424335c0520beda9f84f0b1960f16b71520669edb0a01ed2ad037883692913da85acea7de3e4089cebff155dcd739b77b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
6400a6a8a88dc9c6571031a62de5bee4

SHA1
83e3e8ec963e9d32680ad6fd3a3497f244630c5f

SHA256
4314d40cc0585cace02c6c17868ad804aa03f9d26cf3c66f1d4684b8d21905fb

SHA512
4f2ed8aba59e834098547549c860f13c1a0abc730ccfb637471055a3441879e2882fc63252409a85160248e6b7c34d788fa7a677861002110501c7872d639503

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
4e5ee5c7861bcde813caad741dcf7d77

SHA1
65fc11eb590c4193856a24069c800258d9f8dd2a

SHA256
c897e3ef9f31d668bc18de529dafdb9315fed1f4bc7fed6c43e73d56c20bd4eb

SHA512
d80f41343e78f66e4846e2f52049734d147d5018613666967f6547511f71a7707d6a6cf4e96a00371beea2821a718e79783515ebab81c4f99d5d365eeb05043d

Download Submit
memory/1192-247-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1192-131-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1264-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1264-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1264-18-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1264-86-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1496-65-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1496-1-0x0000000000C70000-0x0000000000CD6000-memory.dmp

Filesize
408KB

Download
memory/1496-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1496-8-0x0000000000C70000-0x0000000000CD6000-memory.dmp

Filesize
408KB

Download
memory/1888-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1888-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1888-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1992-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-73-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1992-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-67-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2320-569-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2320-312-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2416-117-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2768-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2768-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2768-566-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2812-254-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2812-143-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2920-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2920-255-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2944-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2944-93-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2944-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2944-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3012-167-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3012-287-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3196-51-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3196-52-0x0000000000DC0000-0x0000000000E26000-memory.dmp

Filesize
408KB

Download
memory/3196-91-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3196-57-0x0000000000DC0000-0x0000000000E26000-memory.dmp

Filesize
408KB

Download
memory/4088-511-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4124-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4124-288-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4212-299-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4212-178-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4268-563-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4268-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4340-211-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4340-77-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4340-83-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4340-87-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4404-252-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4404-248-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4636-212-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-439-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4664-201-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4708-300-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4708-568-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4904-62-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4904-37-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4904-38-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/4904-43-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/4956-157-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4956-274-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4972-226-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4972-507-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download