b6455b7ddbdb6f5d74b898e89225267a8ea42406bd45ae14ddc7f56103b8b685

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Size

1.6MB
MD5

f77be625c26c9767ff680f394c7f5179
SHA1

aaebcb3a4a419130f91f467ecf9b76fb296cf551
SHA256

b6455b7ddbdb6f5d74b898e89225267a8ea42406bd45ae14ddc7f56103b8b685
SHA512

8842897d70a95343b0caf1554a6432f6796fe55afd5be126fbe1485498f0958e7e37a55e2e33d08e2c1c1356a6cf6681499e9289295acb8ae4b22c350021d1da
SSDEEP

24576:l6Bx8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:wBxgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3132	alg.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
4960	fxssvc.exe
1332	elevation_service.exe
3976	elevation_service.exe
4600	maintenanceservice.exe
808	msdtc.exe
368	OSE.EXE
3372	PerceptionSimulationService.exe
3468	perfhost.exe
4980	locator.exe
2852	SensorDataService.exe
2424	snmptrap.exe
1120	spectrum.exe
1000	ssh-agent.exe
1892	TieringEngineService.exe
1980	AgentService.exe
4344	vds.exe
2644	vssvc.exe
3228	wbengine.exe
4220	WmiApSrv.exe
4272	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e47bf4ecad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033d75f40af99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf70141af99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000946ef840af99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f0b7d42af99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aebf941af99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe

pid	process
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeAuditPrivilege	4960	fxssvc.exe
Token: SeRestorePrivilege	1892	TieringEngineService.exe
Token: SeManageVolumePrivilege	1892	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1980	AgentService.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeBackupPrivilege	3228	wbengine.exe
Token: SeRestorePrivilege	3228	wbengine.exe
Token: SeSecurityPrivilege	3228	wbengine.exe
Token: 33	4272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeDebugPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeDebugPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeDebugPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeDebugPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeDebugPrivilege	4736	2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
Token: SeDebugPrivilege	3132	alg.exe
Token: SeDebugPrivilege	3132	alg.exe
Token: SeDebugPrivilege	3132	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4272 wrote to memory of 8	4272	SearchIndexer.exe	SearchProtocolHost.exe
PID 4272 wrote to memory of 8	4272	SearchIndexer.exe	SearchProtocolHost.exe
PID 4272 wrote to memory of 1060	4272	SearchIndexer.exe	SearchFilterHost.exe
PID 4272 wrote to memory of 1060	4272	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_f77be625c26c9767ff680f394c7f5179_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:808

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:8

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a0d83dcef62b887e9423457aefe634bc

SHA1
564f341628e543996145ce9a909913ac946b050a

SHA256
f5dfff04e0f1cb25acccd79c8213a6f10441664836de0b42380f23fcc3815d51

SHA512
1319945efbdc6380583810a74b1a6f3333398ed72a9609183a58d37752da1d768e3408ac9425c7a81e1607fc778f81abd8f8e92b44df5d2884c59a0cdacff716

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
e5e3f55bc841fb9001139a93fbb9f14e

SHA1
10ee089e5e3c156dda63badb9a49745c344ae377

SHA256
5ecfcf1ef36552c69505d21bcc6984496b95f27df4e66083949cc0ea7d2b49dd

SHA512
50fa8a511ccecbc4c94fdf37493dd3fd1885028af2c74037f21a9e48b7f7947ebd0bddb79beb647667cabca68042e881a0c86987bb8e2f4af5dbc3bbd560e57d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
09ad5c6c7d924c973bfa569ef0bdaa7a

SHA1
b0a0580bd166e949f38c59b286e714dcaff24f25

SHA256
48afe83aa9d0a0c5f41498a45acdcf7dc8c006be1accb792517f32d6de4f9aa5

SHA512
e1f0fa2fcc1128deee056634544dccd27e798f8ef8886b6d1316d2c650ec4d3083fdbe28542cb4502ce75aefb2d101eaa62f8ddc9cde5c99e30606b54c5910f9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
da005ce447b0dc048de9d6869b7d05a6

SHA1
b8cd5cf54798ecdc7ebde3e59a972e14a533c3c0

SHA256
ef72dd88500ec68a01b5f442fedd3bbaba3c7838c080f5dcfa434578fc2d9df2

SHA512
9e8ee6117d1c7bcf4e83b5ed501862f203c80d15e2dff0e9f13f6890ee7f137e12de08aea9f0b81692fe1d0d14154b213ed084d1cb9de2d7fae586c2d5242c71

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
14af82f67291467d0b36179129dc0ffe

SHA1
2b9068490223913d743fcb89b9663b1a2997bd7a

SHA256
f66a898f84ab276c2a0107d695f464312ac900581d950d48a86581faac7b8863

SHA512
4d712fdd76fde3de95a44f8834d78d797405daaf7c7245926792a2c31f76e7b99442f8b7de72149f2badf2d59de0b3a025667401e7c74b63a12eec42be0a7558

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
fcd0d4546b571195779acd7d27b2a9f1

SHA1
bb143ea97d1bc14dbc0f0939c0091ef08e9db580

SHA256
59a578026926a2abfd76cb2e3de1b4c24a3ea56d8c874100fcab3ecc5f52e81b

SHA512
f1e776de8c9df5b8710bf7084001b1bad743e0af73b8e6ddaf881ece88e4e0b7d555612d448d9e9003953e3ee772ab84703a6073cde635ede7ede0d877e6a444

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
ca82da555cd4e967ca874c3cca719d0e

SHA1
62022b937fedc97b51d45a222414191fae4f43d3

SHA256
436fea01d30cf8dbf09c137707ea57a131d6fd641696d5cdefd7a2ba307322d2

SHA512
63fdddf97b59d1815822add61d43d466db74d2e9bcc1b64485f50615a5e5f125af6baaf2ee65c3bf35e6601e942e547bb5f11e45974ee3234e752863d9b7d6a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
faf56383dc9f76fc8f564d643b37d8d7

SHA1
0d6bc1b333f3a32f0bdbaf6ff51d7c4bf8ff73b8

SHA256
20ebe51fabbad1699db624be0c6eac9bb71e78173f07cb6377757e4f87249507

SHA512
2fbe9312376ca93a41ffb143c412ee834e8f0cf298ac7e3a07e5f647b63853b370fd53dad8f93d73765b26c9af16d322a030386b924f29fd853ee5dd213f352c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
4ed633ae4e923a9aa18451d6c82d8600

SHA1
834bb94db440b2606094ca50867b031a9d8eaa4f

SHA256
46b5b969edd55094a94b2643aca558321439045a512dc824ff0d2a9a59924667

SHA512
a7931ac803d92925de253a3997f99a02d625c3b76ff1449e115016a1ff6af493dfa297502bc09290373e684801b33c3e40ce53f3fe1c73243e688f5882a39654

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b1c532421a11df094510cd852e512ab2

SHA1
ab929a492b8e92f217cedaecba8368c3e38829ac

SHA256
4d0e0567f765bd6689d47877bcc09aad90c9811dac8a5899f272ef645543a404

SHA512
55d063488f69664608bc8747ee77ea2a6d4dda8f9ea6e269b886f31d5f8c48734d6dc45274938dc6ed048a4af981e5512492e484e0741b8ea56357739a9ffdc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
56f92609b9eb12be5063d494951f27ff

SHA1
3fd32dae3e8a598c3d7c9f59c38be88886543d8d

SHA256
93917e45546efa78545385c4088b42d45e818d0a8554b69def4a4e14a22115f4

SHA512
e2a76523ed06643d5376bc2d08bf7bd626e7a53b36546bc65b03bea7b7e3044235a0dfaa913314e159a11e0798806f092301572545da89b3135784f5ece23331

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c2688b41cba4d35bff42eb9bdf050a13

SHA1
dd0bd7ead1b3964574b7bcdd3dead4e3790ae8fc

SHA256
29d86961f69d24c9473d6ac3a21997f05cc3aa7b04965b4552e0ea4b233ff04d

SHA512
eb8e62134031911f482d1c8e2c39e9dfceec66a7eb1a62aa2bc87560cf4983a525e88b4538320a50e42f4e298d0c7193f96176a752f79dcb2e2363a597d9c893

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
4627d7261558a6bffbeeeb2354a17f48

SHA1
40da012add9d506582c954a23d26fe2ff98ed2c8

SHA256
7645ab85448bb8410463ac8eb5bc09f5312485a8361cb2dffae26781ba701c17

SHA512
501b8c80a421d82abb35ee734a39c9e263ffeb5115b2ec9c964391ccb56335aac30b60c13ea613c9d8cc702ae41704a35fa47fb7ade7a6b4ccfe7d8a03ab7228

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
5b13d99cfa9b07eaf6177ae20bab8d01

SHA1
d127abc1dba13b19de90fc4d120b23a14df84868

SHA256
224a911901244d2c0d69479e5bbb9438e2b2e5a033b5b077fd292fd96d47ceb2

SHA512
3dd939662c2fb8d97a643995f1476a8763672d380d6fddbab45cefd18a099dcabfa759a3867d275e74d4ff99a8e346d3d7f668f520f8f617eedeaa0d9c0f2bac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
2d8dde029ca050ac000c626867ac9806

SHA1
7ba235884dc513da10a6fa7ea28de53ee826cac2

SHA256
7f18ecf3859202b265d9de8f06d2127fdc7c2fdb99ecbaf743750fa31b053018

SHA512
288a528fa99f5e1a23c87391dbce228a96316adc336f67684b664525861821d900f5cf5d4b83f18628fdbd81315eaf311f01f4b9eba393247442eaf57ebb3f5f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
4949cfd3d678a0e80892dc07e5488f85

SHA1
59eab819e4852d6c8468f78ccebba7a178878d22

SHA256
c14e2e96114edcc2fded169ee83347109b2415f6d6e9f00cd81e1e8e3cdf50bf

SHA512
385a5c84a82d909fc61eebb295a15639c5ecd7cb6745a01f4fd5ade074607bfb410860ef4b697e7a8f1b15d30624f7c44521fcb639c03ab2f74c6133765ae4ed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
fdb54e868e511fcdc8ea8dc79a966331

SHA1
fb15de05aca3c55d4c5fae1aea9a4e523ea07903

SHA256
1636437b5828c41bc6bf42ffc0392b1d577db5d3718743b75318e5164615da37

SHA512
bc560d2d403dfa2961052beb557841d73ba09a8f1b7ecb4458bf3637d31a659f3a5ccdbe558d386d9ee253e2e4d6ea2557bb0f0264554e9174f82ae126dba0a4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
59f7aa5bd47b2724e16f855c3da23f5d

SHA1
0dcec2ec9442824c16be17adaa9e1ade28f2f707

SHA256
6abb90addb72564a7f59cdac87c6170131c6c9fcc566424715a668cda09a97f1

SHA512
72753e7dd02040cb6c4e32101de9c91c5d8c2c8f4b0dadb8d3bb17b95a5f438e9d700d8a8e4992a02085dacbe94231963531e0d573dd0e99cfca427532393fc4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
4519f63b0e922cd54932b9ec545736dc

SHA1
e901f25fa24cd9f89d502ac1e9aefd1736cd003d

SHA256
f5f59f476ad15d052454ab9ea375e7ad5652dc8df85160d3397a7c8c1861cce8

SHA512
64f2076eee8582471795d3c7003f9c0bfb166fde607dda0ef7a5483a5dac9834126d800cf75e8ddf0aa3330dcfe0903e33fe77e722838121b6c6ae52c811eb63

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
db216198f2756937897a791040d54798

SHA1
b8730ee274756d5c7713f021921026ba7ead078b

SHA256
9ac165a8824831eb30330d390d0336cd6fb963f10accba10c5f08f5de58c333c

SHA512
f315fea7345428936bc6d5ae1aaa6467a335863d9998e6e5d8a62571f5b43356b21676141887ef48b143ed042403a66efabcf363c34d6c2ff3f4f13ccf0213b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
fa1c2724b1829c4b4f809fb474d97a69

SHA1
badfdfb3e002dfdeec2b3cf968424f7f3e495814

SHA256
8672627ae8cd505c3ee355b1f92a34835451723612cac8abe1cdaa3b8e0af727

SHA512
809de8a6054346220379a506587d3a8983a4c2f27b3fc26cefd3eb2934c84d46d1ad485a5f4d4002baa452463532f370b3bf33306f6d97ef5cbe2e23e398c948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
387aeafd5def17ffdeb04ee4b3f676e8

SHA1
9083be523bdad7acc6fc1bde14845c63643d1164

SHA256
479046c20ff6f87db9f149eef5d98282b44521912e1c0a6e4be2c3436910f4d6

SHA512
24cd143cb1f87fd8e37600a3122b28408a8bef70decec449c7d491be1ac1ced7e7520a4edcfcf90c53915a6cfd8bc87035a12513e042b8f7d606a46d15d99ddb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
851956567c45e9cee9727b420721cacf

SHA1
60d928df3e82292bf549c8af3403d68576065e3d

SHA256
3570ff57ab7cecc89144b12c030e9d23e83935f29fd3d7049539b2a9d8800786

SHA512
075a14d867f5bc431cf55092fc7e7c02f81e4c9cc8f17e0f5b04c672485480a4ded07d87a4d7c5e496a4fe85a75747c31d9b2cb6fb69be2ee409e1235ade706e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
1e4a2a3673ac68d3b4267d92e8d7edae

SHA1
e5aa56363c5105c45cd9207607f053dce3ec1197

SHA256
9deaed0464220c55735bdc70163e46a0ff8f00f1ebe98e7c957c795201c2b91a

SHA512
70d4c9ec50969d064341f5066256d57668f22c043dbf67d56c75b81f0f4b8293f3c93e3a9f52f46974c22de05ff1cffa4ffb4c96f89fab8da83d93749cf11f80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
f3080a53e300260d130f8f87a9d477ba

SHA1
1200038b0bc1d6a7f4bea51f0c616bafd5a7e9d8

SHA256
69fb8ff3ec04d63750be132065dadcaa9897bd10c1eb448d5abef881ad1c2f65

SHA512
365959cc45709a9998c8ee91169a4dd5c14d9ddc454ec04056f7a4a967c7a25fb37ac9d845b4e63386568efa078ccd675441eb1a3f62d16adc2f436386f79818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
7c4f28e439b2fc76b236c361533dd016

SHA1
dba70641c9db9a0624d5c0b44dec60d9bd4010ed

SHA256
844050794ed09558a574f8fa3c39f3c6d6ec778d3f873869be5adf1f5a5f7268

SHA512
196cdbe29d0514137ba8cc0602e8bc1b35fd6949bc57a05384fe44bf8a5d2c07f1234a611cbbdf21eb889743dac1641f3ba91a46b0a835b171cae83ac0cc768d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
b928383c572b74900ffeab543d46d033

SHA1
a0b931fd85ce5aa8759eac3bc2af75969ef18e64

SHA256
2895fc12cca993a3b41e2c632abfef05639496ab93615c5a95bc7d186a582333

SHA512
96eb5b7843efe0d4ae57ce00de849d60279f9aca2faa6bf313dde75003eace6026529410d34234f2fece1e55af2fea5f8245b09f4201aa1d53194eeded8dd7e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
483057f9844b3de11c9e4cc5dd447b2f

SHA1
6aa2d1474ae99550fd075c8ef382bd86cf76ce43

SHA256
6d0ab96231dfb7f9eae12869fdaa336097f8361b06c6e76d507e6fa897520265

SHA512
16b746f3d356dafcd981abcd6f3bfcaed6d7d934bab9ee6539d8a02722d1c59e3d0ce7e1f1f7fd8a55aa2f9634b7bb20ede4d545d3e6b30ffb59053fcde50fdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
4e8913f0c6233c51987ba9f8c4a7487d

SHA1
d36dbe78079b8752e91339f8fa35b1b1457c942e

SHA256
a849e2ed642590eb5ec088f196151a6fcbf8387e939f7ffaf5dc8dcd9e7c68c6

SHA512
ff38a96e3b8b47a4d43dc8d40da518196255c34c05a7f1edf68012f652b34814a946ba9d0028978abf13b738f936841bbaf5a9c0005b60125ad4e35be74ab3cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
8e8dc9e51da3f995891c090d8c6d08c1

SHA1
728a3c67e7da2ee2bea96f59c8786374809a72a8

SHA256
18c47370bcf873edd00c44eac83330b5146d17b3000b67859344f285d429b1cd

SHA512
f9a7ec8eaa2c461bf02b3f953ee82b03a767aed39b589ae5e0b8fadf400d6e7022468bfaad655f0fa0ab5d9a64d9c9946983ca744d3750317b25f36153a1ec4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
494d5f1f2e2401a66d456089f322a1f1

SHA1
fb6beb02b100aa3f05d3f2f638147be8cecaffd1

SHA256
9860e8f0b9ca1b0a295560611a20ab073e09d5a04c622ee6a9d89eb3ad002ba2

SHA512
ce4da8e81f58bebf3b2ee36310d3f783af9bf7a9d291c6f9d274f1e414b7230efc3c8939b8ce7617e0aeb5dc406ce771009825a154880c2ee26d06cb73604110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
0c4003af5078dd863621168809ba2633

SHA1
0971d4eff8481482820bca3fea91636a4520a673

SHA256
f0ab4a7971f33526427c2dcc745810fc71fe4da088c86757cd03b5d92a8e028e

SHA512
1525a627f728383bae31ca3c7427cb899a657544efbaf8adb4c8d647fa16fe30857a5f69055adbbc1debb8e26274f82f0a11677fd80ca52c7984345e81970e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
5a7baf388d4a09b40679fedf39a61804

SHA1
d9a036796514a4aea12c3a92c575eb260c241005

SHA256
5e21228c1706726913efab83fc3073475c1519e4136c348ba2ae1e6efe1c59a5

SHA512
f01df89a20667afb4e1fd9b2b2f9f9133f99e81b14ce61583356e302f8486921016a4cffe0b140f108383c8413053c289cfecf8dab9c748d33cb50a58fe37d72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
ba94bd9543d1c2546ec2bef7e6889a84

SHA1
533fb859068199d91a6712f2e006b3ff35684c3c

SHA256
1b2dc6684eb1401a5ec41d4e81060439d0eb428425de0684fbe9ce938ce12841

SHA512
be36eb116e51ea41f3f79766f2cfc359d46eda22dfc1ba1f93b261f77745ca23ca9a7a2730d5c1397775175f45d2b522d4b0dd0c5296939c9eb7ef27e3a633be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
374d984303b3e8cb2b4eb25952ae90f8

SHA1
aefb5eeb07ba9513a675157cbeccd2303bb04796

SHA256
13bfc2aa0a83206021abc09fa4c3600984e89693633678068088de2c5c2c3691

SHA512
2b902264842017ed5d24793896fff21e452de805d6446440c234fc59f5ee41ff662403affa9b976b6f2958eb8dd77d66764488003a8f032df0b31998a0d90ea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
aeeca7397be2a6bf1c7512211bac2ba1

SHA1
5c7c0afcff0f64fde702f31ca61a7e6c82088a87

SHA256
24fae5dde53fd4e233bb22d96fd9ad91f51f4d71b3a52d1dd93e7d6839bb72aa

SHA512
812e07bfb0f15a1921d24997ea55ba44f44b5a7f197d896c29cd5aad876044999f6ee771fca11510cf7990437a9b78b7332164cc3acb3a843780adc252778b14

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c213910eb332145682520f668e376e3e

SHA1
fbd77f9ae03b451b5cc6befa83426ec06dc48f7f

SHA256
6e7f77a864c618bf79370679eecb07080d05ce3cb3cde771aab81c0417468805

SHA512
8e84d722cb2782871c9b2cd346d97cb0f05785c6cad839b5b7103a00b0198839e847f59689d830232cb24160a977e4a2367ec0c535cc76f47b5a8ae089a0a47f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
bb2c1caf6b62818193870d2b8999ed0d

SHA1
1dbaa41057f825fe648d9608a6da88540fe1da4a

SHA256
00efae75b3f55c7a58d6d4326c983b3ca719dbbaff48e0e84eb29e9c8c1e0e1e

SHA512
35c26e44fe0fe605e7816afe3a95d4a7051ce93bf3699f0c3d8294642aefd33ec4cbb83ca3f4763222dd9375c372b15cd438c882d8ac8e0ba38f52fbd1d68515

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
c82ddb2103a9be29ac257b8f3d29d2b4

SHA1
8a3efca20ef351b8c05786d9899293abc44e4717

SHA256
04ffa635cbf7b0e96c4c345acf319359d5cd6d7af9b28ab71cb0feac71be9407

SHA512
bd22aae335be6beee23d23b0bd571b80dc7261158da9a99eee931ad3bcf157c28a9c065e7a6dd7296cfebb9fe2dac24dcc3b757acd750d5178522853974b68b2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
387315be7e88e6182627d6327d4e8620

SHA1
4a53e4a18e298c6270e62b8d648e6ff56036e2ad

SHA256
f2fc633c3fd1d7fb14638fed94d6c7a933621d5d7ce96037f3847c85f6b194b2

SHA512
93d030b32e9d41b4685995d8406447b9b0859815a3a9adda07f9ed18fece8f7b871754c8e918872a93f512cc366642be4b140afd72e2dd84a556f26de69f2eb3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
4c33c98f97ae593197d3c97934a96dca

SHA1
34e057753445ff91aa0a7260747295363c2497fd

SHA256
ab3cdcdd684d857a20cc367915369a1a2a3d7f940ccb5bc553fca13dad66a067

SHA512
292e1b9e26d841a8e97e9859914f8ef75ca3cddb8ed3d3bf03851877f706ff3ce29bc41a6977c62590b8a32af9c9983d39f0973a6254d40fdb9501a37a1d55b6

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e622c5ca881abd46de98d014ba75d079

SHA1
822d0f17200fa3930aa7edd7c6ee986b21395de3

SHA256
d735f22634315916be997a11d12e3e868c6fb311aba91c32159d7401fcddea7a

SHA512
0d14d6100db8cbfba829a6bfd483450d92b88c1711f02cfd2288dec57b7891d476a894111724719f4fe4a20382e4cc89612d215fd44227f1e24939cca258a17e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
338469b7bb01cf10bf96595f870e3fb0

SHA1
87a8157a936949504de666ebc6baa8db78f4b76e

SHA256
8d5553eba674df6e02130fd49be92f5375fe473de22067e8c8789cbc7c8fa2a0

SHA512
f7e3304c3eb6a7f04d6344acfee6d1b7e4956eaaec2376d6f4a226e481ca7eb3b50052f2529b025d81cdaa50e1bfc928363d830c7449c103d90287676c70a85a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
cdd5f56cfab466d86de79d80e5fcebaa

SHA1
39bdeff82dad05eb3d55ea9e73b6aa8b07b2c732

SHA256
398e2eb6f6598cf11125419d93dbac741ed76a9226209ba93ee2a3f054db944c

SHA512
afda5ea29e062f7a1f1c5b422eb170a19694a6ef75206f785472b0f406a7b01d5b4b1198f878c8d8ab53b8c6138d3500d0d618e2c03e1fe7dff4edc3df1a313e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
334e3fb54cb0871238b4bc3d694526a0

SHA1
9c59009c60c7071f64bba075a145390a6b9514fe

SHA256
8725b3ea23da81629280299116dfc0e18691d885c04a342c36450a94f9c211c0

SHA512
5b9420361105d2ce856b2321fa5002ab5c4dfd30036a7986557c8102be47dd40ef2173e0cc48fb594eb9ecc2bb42a830f845674180f37c28b1e5a78ad81eeda6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8e80e69994d7d92e71891c772457861a

SHA1
7189574dbc6b7b82651d761def51885e9a9da9cb

SHA256
58c64e0b69c192ab3004e935d82a2552bbd9139f9433f5ddadc945ca75456530

SHA512
21c96f844840280a622610a626c531ad655f7c69eb562a1ccab92523ed52ce7769e2b9c46d057cce2d533c72cf9af4197de0dd04b5ae2fbe74605bade9ab2d3a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
26da68684f8f05345d65ca3a7f559916

SHA1
6fe48a4f343bc7314caeffe9fbc4e4668c8d7fa3

SHA256
1bcec060bbe577cae5d41eb59e552705e3cb6615f6cbbf0368622bc0e0c70b13

SHA512
199d3e69c94c6a479136fb1d1ea761e3663f236d2ccec76795555ec184c89c2c43c7d9e712d0e5bb09391b86ebaae1d7a52fbafc13c1774c354afad1935eb08a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
3fb3c08d1b7cb4099d44db170b917c19

SHA1
6a3b0bec920b7b5e809fa12ac41a89eab8e070cf

SHA256
f79cb6a210ab2ca6bfb5b09cf32f056bc082df0e1ce49425f6cb0d5255b282e1

SHA512
9d33bf1826759e702cc03fd7826f1f9443fdf6be4218806a4228e8ef2686d1fd6bf7122ac6a9bc5797fd2faa5ecfc50dd29bde516f48442e89638f50b87564a5

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
207fdc257890c62a4ed1b517cfbcaa3d

SHA1
2cf8ea9363db7176ad01f3585a5e916a9f449fce

SHA256
4d6fab95529583e8c9fd19abe441d76a62c6e92abf99a4585803b178d48855f3

SHA512
70f8bf393a924b056119481fb51a2393705c278b7d930b4de52aeefbc47a26ce9cbf1c1d0b9bcf1975f168ee1d0d73c102c93fe3b529abaa1a4bfa2d3652dcff

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f25ca96b651236eb1b21fcd2466fa3c6

SHA1
6721d66ed1722c8e71de6d10fd375c019f32a075

SHA256
489e5f10c8467ede8f5106d82b53c1b71e497c374d2eee23c61e86c0364511ab

SHA512
3f6485bbcdb32b83fe52f122dee439b4c4db2eec6a5dd01e15b018d81cce8ebf2695098d24d9eef3a7a6c6f45d41c398f3e80567552c640fdff1446f938ed850

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
45f553adfcdf13d0caecb9978dd8248f

SHA1
4a600f48fccc2575175ba2bdc546683ae6b8989a

SHA256
8d517377c3d10ce0423f8c6857a474061537c1c1a7af49b05e5b4b1d40537790

SHA512
b651da4117eb8b3434e68060945076e6a54f8778aa157c312fd03c6af524d27052acc690c70e3144ec8c07914292e98a7ba4d42e7be20b89196bcba45e963cb1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
304f2bedd8036fffc1e0a9a5548f5c40

SHA1
50b62412e75a474a6766d29963f665ed5fe171f8

SHA256
4e32896c23bedfd4cde45629aa4008fc45887247b8c32118fc785ff17ba7e50b

SHA512
47f79d496000bc1be9091f5e105da6701bc1b2254ef4f3e47e4282ccc0a6eb08b534cffbe0e7860a4c1f8ad71b4fa975044ffbacc23ec7165e8218197c8c359d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
becf48259aeffb234324343aa03d2b9f

SHA1
05e31f553176aa34219ef6811f561fcd33b863ec

SHA256
662a4f14fc52a07d984d52d30fabda3b02466938dfdd1c9da8f899292a9fa05f

SHA512
4b9900e483dfffd02ca2ccce59963a79d5bbea337a585e8251f23a8096188d478867f8e1a7271f6cf47f7560c8ec9457a67b7b3ec271058ff375f91d7669a643

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e482e64c965892c05b0f643e8192f331

SHA1
e5bcf5aa53937fe3f739b0139a05bcf9db1a620b

SHA256
cb93cf19c8db6d61b510bb53ab6e337df0de18b3eec7dc1bb04952e16b680b28

SHA512
690e6dc90b5bebd37d44c54c16f2db6b6dfae9be5f97fdbe00bc34e5689fe2ad150477e7ffc828c7be240292a86eb98af43a0e37e2d9433950f07319caff37c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
de61780e5f91d30d4a60183a6e1ebf58

SHA1
3cc3f66b8a25a308e036c98bb0847860df05e7fb

SHA256
824f188728aa5c23304b319c4b024a6408fef7d15560ddece4edc2c07a0b43b1

SHA512
22fbbc5ae993ed826f853843b2503a74173bb1a4400084f60108a2e4035439ec09243f0dbe12fd8c9b61a2c981a8de73b8bf845816ada16ae2d06aa48a3ad571

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
55acb04a0b2fa19c27d7e0746a9565bc

SHA1
d37501dde25bd196957bba38abd2bf7965971c32

SHA256
eb0b32db896ba83afd92c569f778e4476dadc339dbaae7103cacdb588ad4db26

SHA512
fa08f35685ea02a6ae8e2cba2a9249186d99fd61982b203f628c25ca60c46282c26e2eca94f2f70fa05a3ab450624b28b5b3430b94f07c2f29812578bffb39ee

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
54a184e2b543256e3897e51390a16fc3

SHA1
1b5cc0ca900bc31f44d7ec552af329118cefcb1a

SHA256
52b04eb7653a5e2c7d192cbb94dc78d52a70d03f0cc8ad57e5a26d6b4a7b0f42

SHA512
ded05cf3ffb39faa6dee15f26966d7efdb1d26c3837da7c3234274fd52b4e7ae527aa2505cbe4ff04f156ef6a0714847b3a0f25a449e5910922ad9cf12c675e1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
98c3fb7b08de05a7225e26ac1c3e1a22

SHA1
11d9b7b74893855e6fbd02f71bf9de8fd6a633e0

SHA256
09d9b84bf3b6c0bec1ffd92a57d1eddea792917169a3d3078c8cdcc73fc3a015

SHA512
f2e744dbd5f1a649279d401f88e16703cfb38d3990d42f7fdd186992b46a5133c57a46e6f383b162ee2a26822c1175d331cf2e5e175d2d41b847d7cf2520cf49

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
0a23df24ad741653ccfbfc3751a1f787

SHA1
82d44ac4e9166d39f991e031aabc45cb2871e43d

SHA256
2f2449d630fe66babe4ba6fc71d98601e16c6b944a18bbfe2b3a770ba4cfb517

SHA512
f5c29cc27f3877a09ab7cbba25c87adfb1d9911fe62950a3fd27099e361a1ecf8eec5b553f4318fec7be9e71a4c1d4a9626096ecfe841e0646540be6d8961ea0

Download Submit
memory/368-114-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/808-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/808-219-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/808-91-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1000-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1000-526-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1120-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1120-453-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1332-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1332-54-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1332-60-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1332-53-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1892-217-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1892-527-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1980-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1980-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2424-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2424-404-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2540-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2540-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2540-35-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2540-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2644-692-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2852-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2852-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2852-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3132-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3132-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3132-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3228-693-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3228-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3372-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3372-127-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3468-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3468-138-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3976-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3976-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3976-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3976-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4220-269-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4220-696-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4272-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4272-697-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4344-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4344-691-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4600-85-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4600-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4600-82-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4600-76-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4600-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4736-90-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4736-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4736-8-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/4736-1-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/4960-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4960-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4960-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4960-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-50-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4980-148-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4980-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download