c405095c44e98b7951134c5b898357dd765f23a31dc08e062decaf70bdeb9e34

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Size

1.3MB
MD5

640dcbe11daacf97a2e900c6c5f885a8
SHA1

b11d471568d6d9321a2b5fe1bcbfd6b4c35aca3e
SHA256

c405095c44e98b7951134c5b898357dd765f23a31dc08e062decaf70bdeb9e34
SHA512

5c2bca52ddedb0410978e4c378e177d4e2b547b086cae1706df91157c752ad0e613325d63e18333ad780060adb11309def88d75a269666d33287043168cc8153
SSDEEP

12288:3tOw6BaZJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:N6BwdCN/j2GLl3iFSE33b9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1704	alg.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
1552	fxssvc.exe
2304	elevation_service.exe
4864	elevation_service.exe
2480	maintenanceservice.exe
3404	msdtc.exe
2556	OSE.EXE
4672	PerceptionSimulationService.exe
4076	perfhost.exe
4240	locator.exe
1956	SensorDataService.exe
4936	snmptrap.exe
3768	spectrum.exe
3772	ssh-agent.exe
2084	TieringEngineService.exe
1992	AgentService.exe
4920	vds.exe
4476	vssvc.exe
4980	wbengine.exe
4716	WmiApSrv.exe
4348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3b54e053ad45b396.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b32516ce999da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c179b173e999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003653d46ce999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cedab373e999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3c3fd73e999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ab4ac73e999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeAuditPrivilege	1552	fxssvc.exe
Token: SeRestorePrivilege	2084	TieringEngineService.exe
Token: SeManageVolumePrivilege	2084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1992	AgentService.exe
Token: SeBackupPrivilege	4476	vssvc.exe
Token: SeRestorePrivilege	4476	vssvc.exe
Token: SeAuditPrivilege	4476	vssvc.exe
Token: SeBackupPrivilege	4980	wbengine.exe
Token: SeRestorePrivilege	4980	wbengine.exe
Token: SeSecurityPrivilege	4980	wbengine.exe
Token: 33	4348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeDebugPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeDebugPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeDebugPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeDebugPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeDebugPrivilege	4184	2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
Token: SeDebugPrivilege	1704	alg.exe
Token: SeDebugPrivilege	1704	alg.exe
Token: SeDebugPrivilege	1704	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3132	4348	SearchIndexer.exe	111
PID 4348 wrote to memory of 3132	4348	SearchIndexer.exe	111
PID 4348 wrote to memory of 2440	4348	SearchIndexer.exe	112
PID 4348 wrote to memory of 2440	4348	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_640dcbe11daacf97a2e900c6c5f885a8_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d2abbf59fc12dcfd18bf686044d7275a

SHA1
2dc814cba2713043e7dc6785c4df7d663f640fce

SHA256
edfe27d31b59684dd203d98d3497e641aee33ea2d3e505eebe713553d503d3d1

SHA512
b8429c3dfd92fd4366258257ba9d48be0536f093709aaae30e6b26bcef1298c44777b59fcbeda81dee59a6e15d74b7b0045fe0fce869b3c2eb5d11c96061315c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
adb10db4dbc010744afebc695bc9de36

SHA1
5d169b369d048013b22660847d5294682c1ab134

SHA256
c3fb3a1bc2c4d69dc0825ebe060a6cf1813db185183b86999ebb9e714c250f7d

SHA512
35a22ab37b82051bcb19cde8991ee8d456230c1b67044a6a2d871c9c994c43f179550dc3fe56131a1d4a47bd7907a4e2e2793776772f901c6f6cda7b7b94d06a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
17f45c0de790bc8b177ccfc1076be917

SHA1
828e9efeb91300fcc6bdba7ba3a7fe99dd5b036d

SHA256
e2bad15cce4705e079046b46e41ac3745a76a933583fa88fa9a5a45312cd12fb

SHA512
21403cda5f5bba119335bead9a7f0fad21a728d2102554c0cc88ebaeb90535da67641b8f0b84445bec28a6183b92bc7ce2a44b3a160cdaa1ec8f7f1eed1337d7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
611891b50116b4b6c651d83449ad5421

SHA1
8e4ce755086a16ca1167b4bdd19762371e8c8879

SHA256
051b2d9d718881deed2899622aab7f5ec6be1d466e6123693ce70ca317330b22

SHA512
b124ffb1336567fb6703f0dc3fbe33c8af8e7ff46eae464d4ef5b93a77eac2409b86bcb397d97f158d9a39b8d15b3f63da75fc9d84c944419f440f39b98b8272

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cee223702face5cc551945ceaa2d4cca

SHA1
79cbcad9a3609d7ff2eb9ad988527c9e24119904

SHA256
05b0657c2ee8217d3598b850305008706ee1653f6a3bf8c434e11296a6123e9b

SHA512
811d4a30fe8f4e17ea798c4400740583633d0bbb48940bf9128f8bcb7dd263c63c5aa848dfa7408bbca918b836c7aa02f2b13c7f6ca349d2a8bfd108e34dc94e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
dfadf6b25c1fc7a9299dfbd13a574ed4

SHA1
a41a3bb866bc4f43e9ea805b7836aae75801eaef

SHA256
7aa976cd3a5d303c2c31f3a762b4f0eb14d9796e362b21d68eb8d1ac06f98a74

SHA512
f43dde0ec98ed19ffad712df19539382eaae4726fe99c90c3c766f448fdf21f1e2c2610bde4ea3f5cd8f6187be3c52892865d066d08aea4aef3e9c602f112f73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
18c16f2118e7b939cf7ff008efd39710

SHA1
122ea5085211f3d07f0c939ef1052f824ed3aebc

SHA256
5c7ecb2bcfa5c2ce19bfac77463c4e210ff351412014af9f88ff2f1a2d8dc4e7

SHA512
54e59e1df54c278b9aa23d88d925356c614ee5b982bc25e3cb33a944f611d3b3d6d805b39e199494fbaeb5b22a3252e85b172635b4500ea10be996a99b02e29a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c789fa8f575eedb8b11684ce3040c0bb

SHA1
f70a519e2271393a956ac66a0b1b95373cc9ef3e

SHA256
316191212ffb4267cb003fa828af3c7049870bffb17a9b79b259321613bc181a

SHA512
ebca626e9fbda0e2ab9904b45b223cfc15ac8f1514deae9dd018ed92a466587464eae737886c653b7bbb7e4bf7c22295ddb8bac56f3cf54cf66462494a88aa25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f72fb49b5a7c55fd471ed30fac640ab4

SHA1
f8dacc8dc23b7bb11b4a55408b5b9070390229ed

SHA256
fcf082400ca48d2b8f35fe8cd65cf78afbb6de27db8808737047fcf83b8d5a1e

SHA512
5ed6901060704317d80d93eb921e4e2024d1a1f13acca6c8b3f7990f82f8857ce3bcef72374e0971266c028fa0a7addb3fa367e0b1235e9242f656f6750b83ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a0dca2a56faacf15f0a53b9e722d1347

SHA1
52ec5f6c14239abe8869a69d93be85a44a8cfdc3

SHA256
926690c26054b79140ff050b404c6cbfd4d51f00618a09ea3835b25b51232744

SHA512
cb9559b189f088f5c3e5886c48d4361fc26f16107c3be3c73dd1d7b41df0548b1a0389682ab1041686220dc34b804985e39813e68f9f9ca7910537bcba1f11e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1937efc861791740ed4f49b5222dd4f9

SHA1
3549a18d4e6cd069bdd36cc23320d86b8e64b5fc

SHA256
7bc447d676948b2fe8828dbb7ae73c0f2ef5af7081ba4e3229a53de7e65667d3

SHA512
d0b43ab515196737028f60e1b10d8ad1769e42dde3572af3c8e9650c7e128bd5b368bd648fb91c7d36aa9d0fa3d2f78de2b45afdf547c393618b1aca50945653

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
be6d36a48b977a2afb707c745146eeb7

SHA1
9344fcfef0fec6163ff96db0a7626468848a2853

SHA256
30bd40c98e9e7c4a3cb287f11b5f94e53066a01bfd056fecdaaabf5f798bca04

SHA512
ddda4a07b87f7b7d7041c8e0aa4b7114f7ae8c5a06b884701dc5f375b06e28c2b13bf962b445bffb8f2159081df0c0025b8b3430a4dc174de76232e57476c708

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ae04214c8c154c8bc9d39cffa33f5e19

SHA1
4975f37f6e56cf5ffdf74ab86bb1ddac21082e42

SHA256
de0fba7d3056d758634e469223beb9cdb00bbf654a4a487bb54307ce07de3399

SHA512
f8c2f03ce03d95f8da8424901f72c5ac760325f62a3afb21319aeb89928bd515bd602268611f5fdfa43a061a3d8a4aa72a362bb5e69ee6e7781dbdedfb4c4bb3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4a415d3e298dc1c8c93f0e41f077eb20

SHA1
2a2bd36a84e371a561cb9b812a42780a6fd1fd3c

SHA256
1a83fe9299fba7fbff98307efada687421a9568732d45d2807e9101889bf4556

SHA512
d1035a13a75108dedd73d716eb43cf383c368d34b83317935d953874f2a220c39bdaf972af456f57eeb8312e0ed2a395eac38c28e2c4b306ba3dfa5be1ed532c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
30c7d1a1aac38cdf89a43654e00017ad

SHA1
5632f5aa25491c79f0f60957b35ccb2397eed642

SHA256
dbfefe8f4de0779b62e06a7ff568370ca591bae291d3f86e115f976a67b2b253

SHA512
831f41212bf1f19e9c1942128b5c8e4cbb2bbfe00eb6810068ab9b4c5f6e25c95da860c5b4ec2ef6a258b5cccc3f77a67ea81b25f8b8f8ff9511feeb112b7ce4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
1c267ddc642a1e809d02fc3e5b6807d2

SHA1
2611b3906f01afaab2619e36b4b3c6bc76ea59db

SHA256
6da68884b8875f3fe7ca3fe130c8fe87b2c4937a0371dfdb47144a529386310b

SHA512
ff4cc425ef4e8c7ac69af5283a64e14c125fce7086e2b4b0823fd14da6b685647e7d0a3cab1b5182402a7b88af67143aefdd83cbdf6a351dba22bb241890951f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4f9015c09fd5a15223a4cf04941e45d5

SHA1
863c10266d83893162a4d81f992a54c99bbe16c6

SHA256
6529d6247327c3640d969e632efe1d3152f79e7a5a0900dc384b430f045e3938

SHA512
714f192b7985e30e5cde473ec9c52be5e75dae8e5ec21b5093e5c3000d1b9ce6fafa3895ac7a2c6e35a97fb62f090ae6cee0f49bab0739a508c5645880e6a0b3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
72e002ba60a4df507fe1c2fe9adb7b10

SHA1
8b81ec26d26e67cc38f92346fffc37e76e35bcb5

SHA256
ec27329917bb61ce6e4830b1453188274f997171c2fe227e128b928d95fdbbe7

SHA512
402a63e79ce10d5bd071d87b35836aac8012d1ee5c3a282ac3542ea85696f40a621e16a0b2a8c94ff1d4441a4748df150cf4aa6a6de7cfa1dcb46eb4223ea3bc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
ec1833dc1b4df1aab52a2f191e0e88fc

SHA1
5413f6fee643b46a280fb33cb5fbc75383c77a38

SHA256
8fe77e8ce981352ce0b730e5586518c39cfa9b67178702594b1fbd39d68e57d2

SHA512
9a09190f11a587271efd632857dff654dc2b78bf02dbcb2f742a9e424a9342c99577e2c7d2f946e93a55852760fa4072a074f436434d3c05cd311ca0c62460db

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4daf21754fd98f1d633296a544272262

SHA1
1f8be4b471d6b3339a9b9ec84d6bbb74c9203a15

SHA256
4ff91b24d22fbf1f46a9721e2f0c04879c34166b789d22d252e89633f2285ea5

SHA512
2dfaa9ac5284a75d358b5a1d2d171a032d15bff34622fea5d8a6d4ffb888cf31169ba9069a1f36d04ba5392a5c4f7d3e5f20c93628484c794d8f750e967b1287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
95d735e8594cebc3c65e78a4261883fe

SHA1
5588ea0742e079d9e11202d758d703dada35610a

SHA256
b930d631184c0e2fc5184f251f6e76de2274ba6a5b22ad2dca4b008d72714c86

SHA512
ad4710df94235206613211824eba6bcb8ab7f326892a93a0fbad2ce39013b5847dbbccf26e374573a5fc13d246fe36b58d7b2f08fea16abe8e30f46bb281c014

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
45da16c8f109a43e79f5cd79b66a7185

SHA1
6d4ac373c3ff09e5c9ffdc1befc322bd7553d898

SHA256
51080ec0f07f14f8cbfe274b9e05cc9880e8df9d1133e71cbeb7ef0c561db5d7

SHA512
ec649ff80d34ed1142d3e007973a4e849c157ccf724c6686421c2440fef862efd2b684189e1d54e7ff4c98cc91b6b8f58bf17582b90ba44f3f5dcb4291dfa484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
66346a6262c751b9fd08debfaff8e6ab

SHA1
5d53c6577b97a735098125dfc62008f386231ab6

SHA256
522b54e8a11c911057bdd56e89500150bce890e6480b9f75189a7802cafbd8c9

SHA512
fe5faae76fbbfb6a39fe2ca256503184dfb6606364647e9fe211a272ffeedaf8b4b7f932c8cd41031aa03bd94642838d495784876b2165f57b3ecb21ce8d4bd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
20e5713177f10d2eb9494990f96efbbf

SHA1
382e84e69872d765438fd346de9ab8cd5366fd00

SHA256
d6ad36857fdce8772d642a96ffab20a8227988bffb7b998e45fbc6290f9c39e8

SHA512
87666dac6e1230bde0165d42d5dea9f3012129e1c47261125d3e05c0736a1460cb6bdbde5bda55348a207f87b5673c73e82917acccd6ae23a080679594c940e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
27da76850886c4296bb997519a2cea56

SHA1
280263ba0de7954c5f1c786f11b5844389b08d72

SHA256
a4f9a175425c7df1127409c76c1b3a20af2827a52d1d767f44a63a3b7af2875b

SHA512
042c46c5a27d89a624f2554953a14eb9bdb9abd22bc2bbb28dbea2928c1757809730dab8d11162ac336182471a4a1470a8c24c7062ae09cf849a670f47f06f03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f851d80c8fe9947e91788427e55307e5

SHA1
7c577f1ef7abc04137eb644edf3d6ddb75fb2d66

SHA256
dec3afadd0ff4f3f97de373bce1691fc0bd645dbfe67601930645ee45b7818d6

SHA512
e0e37875f392b7e2842fe6e342ebaf4a4b1e540f0b46d71741b5d284bf6684946aec6bef98f685da622b958112cc7e98b337b9650890edffb6808d4d01309e3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f6ea41b7833e91e219178b8d2393dfc6

SHA1
a90f7e79f596d84e58d2d9f96a9743d714c25c9d

SHA256
42a6e0e284ff9eb4326a13deaa369cd29da928e6f1d3b7f9934ed36d1effe775

SHA512
8a7462d47d1cf437153b8f4ded07c73eb6ea36d09d640f6b9b9ee2a7172fe308d21f2763bdecb11f8039e4771c9e0ea28a6b7a36a13fefe723650ee30902ac79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
4754cb40ac1437a241dddb43b427be00

SHA1
8e445bf45e64d0eb90f6ea60313642d9b4baddba

SHA256
0b14474ef7af06513ba66b8754403d7ddb904c75ff28e3f4181f3588c105f5e2

SHA512
ddd4f447bca7acbdec9a7b6ba1ac09f3f76fb425e2a10a4887883a1a66fa17937b448cd1543bdddf282d61681d54e0bc67be6b6d2126d0c474a9c3347214a74b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f8a0660d76746248667c717af0d7ac2c

SHA1
9df13667ad803336905a0692ae812ad5f9b8c883

SHA256
2b2607e03a5d18b1bbf8fb29f7a330ea0affb891f0f83ec60e7d4dd3b0c441f2

SHA512
ea7e8fb6c5d6e61fffac67fda5748bd90f35d7f347b8747a3ea2ca9d3b1c6023b6418bf5af32198daa59c2b63609a8f3618aca326ee1769ea3ccad13635d3c07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9d69ce0827a6070292bad8d1d9248738

SHA1
7b0e02f60af5eb7df92f896d68de9edee38ef952

SHA256
3c9fda439d056fd5e7b9d527ddc06f029bc9d1432d2d75827f27c659296dc6c3

SHA512
0c548ff9348193f0cb000657e2ab5c156be6c4fd26b95e3daa8c589aa6d40baed670d3bdccc35624a8d74794b1f45adddbf103bf583944d8f39f9c100414572d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2f3165c5c71c349161977a828ee92a9a

SHA1
65a4ca554b6c40f086363e91c2ff55e919b5a857

SHA256
001552bd3e157ae7bde386ec3375b5169e3dd4866edc51aa1b8c548be1bbcd84

SHA512
e9cb43d6b8a2fc9a3a19e19ea46b3db3a1705c146f6a894bdf010f56074757b1d155d51655458006e5501152980574b8a92887b3178d51c41c0559707b681701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2b070c994ea751f0e9c607c3f22f363c

SHA1
5fd285b868b5823e5bd845dfa920257ab2d6656b

SHA256
71693f2e797c31e74f23c2bf249e1d30cb6f473e58d8a2a794bcb7b5caf83fb8

SHA512
1fda0831a721a150d28b189da15e61e351e7ea428f7caefd815f73baa06c3a84a65ed843eeae997f1263de59f90321188cb2cb60e4a25bd5390baccd8256eda3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
65e953dcd26eb92df0176a3a9f0f8ed9

SHA1
d7a7ff05bc8c330a3bfb4fcc34b7ce680788f40f

SHA256
ca51618286ff7338fef0e563e5e1848aaf4228295ecaa9bc5369613147cd09e4

SHA512
9f8e01eeb6a6f17a24fa5ebdf0405ba7bf6d2ee1bc56569b74b42de4ce0c4799842150275c6ab14b1cd12911d2345173a05a676d193191524a28896956156d07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
76afe3b2d8b505958d7de5137b68c286

SHA1
5b65c0343fb01654b02657c0495cce9edc2af16f

SHA256
717af9ae5325cd9b935e2d81ceed98afd21d459cb011bcd97bef6568b6380605

SHA512
b50933f9e92a8373da7f5d97c9df043762243637a8cf96dad86a53a8586408125eeca149d6032e25d8e5c155c372709b9afee8405e490641c45ea2ba3fe8d930

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f2044a58bc63bc6efc0cf90e599deef5

SHA1
3e1d2dc64bda0354c250c8ddcc1286dbf3cd6644

SHA256
73503168deb2f230898a4976dbe7ebc1044315979f49899b46a7c8083ab43d1e

SHA512
80e24ac8f7f51650ea6e845eec0d8b370225384a3cb30c5521ab23528ac42856a7ec6d4e371c45f2123aba597aee3b57a116f0ed4462fdf3eaa421cf21f07f08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
fca63103dd5e2e5f9263a506b862f893

SHA1
73ed9ed3c59d92d843b4cca27d315b42a5a33603

SHA256
225ab005679059475d1c6314698a2ad002a310a011bdc35a967e91e1bd711313

SHA512
e1e52f7383f40ba654fb35aa853011b0f2e534b2c07d48eb34c1e82f07272953cc72559a078087b94b94ba25fb584ef269effcce25f809e06dbb347fc60ed8ba

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e0cbe1d33945782b5d37ab41a78c16a6

SHA1
2cfaf29b8bec09dba6b1800531992268145ffefa

SHA256
34a3e348b2b1ea8a0ada9bffd5d4cf5afe0f0fb121a386ac50e1a01e30bb22bc

SHA512
06aa401e1dae933eede171bb222d9028e1a8c3ccff200d6d4ab925509ab73e25290939418f3fe174d22decf519b6715bd75b677139cf60a9c234c84706713329

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6b27abf2e4eccfde55b1dbcd229e3fc1

SHA1
175db8bca0a999b77bf18721a8e94593253a22e9

SHA256
b6e339aab56014fbf06495a6529c8b8abe05ce6c395442dee3d58858dee01e60

SHA512
d97b1d9c8ac5f49894b1a588038ff6f961c92c00fd3d066e58ca4a2a46e98f45e22152644acbee68b258b479f4ca8d8a4e1c3713a029e005c92646fb859a0b22

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f3d2cce86ad81766a748e70c8cfdac75

SHA1
2d324dc5efe4f544e69ecc20dad6c3cddd51473a

SHA256
a5145cd71bfafea3ae3903d50f59b42afe01bca7cadd5c757ea9dc256b94d6ce

SHA512
bcf5de8656b60533acf1cf64b305b9fb65ec39726ebca8032a53ca49bdf00e628a53ffa4597a12a1f89f3ae358c54892d005902dbdcdf17c047fdbe851621527

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
71fe3da5a2d770b742e2889fe1ce6ac7

SHA1
eb0d6bca4ad11af0b9dfe0f4ab815830ec0549a3

SHA256
1e030d61396869bc5827217e4804e8025cd874eb2958845705c5aa774072db08

SHA512
cb4fde91cfca83959754a6ad9838ff4e707824a6abb93b8314375687d29543baf63efb52b93c5e5493ca1b22c4886d5acd40c9fb54315d8f859ca6e67370033c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
8bed1f4023b340ef80b3912e04eddadd

SHA1
afffc3b16826dc06db03079b8da5a8a814493050

SHA256
06477cd0355b2a1a1721dc204568fb5be830872c90b19035a6264e21ca6e0a57

SHA512
f81b5ce950785967961244edb14bb1dff9854a7a5d456f6d89c3d8dadb5fab6425adce57164376d708208afd54eebd965f94915bfd167985d919cca0f6551ba2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fe30ed45e50b88fd76b51f6032db6ccd

SHA1
b7eb892349388e2cc52e55148729a6920deb7b33

SHA256
a4ff69f8018502d14bcf4ac8a9b84cd2563fb74db9371d446fc7b6d00556a011

SHA512
ba7a3810bfde4aa00a42fbfbef47e3233c1f2af43aab1a84a8440615800e6e38b963c21d1550d17d43c7f34a907de07b81287f561f905c87721669e78c4fded1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7a1476a4fccd751d2d35bbf277e66cb6

SHA1
a7252d73185c11c017edd20c5b398d190b0e74d9

SHA256
a9687cee695d41ab7b7e38ab88af52001b12b036748540eb185efe4d4a39f6b1

SHA512
1f53fd49a3008fe268b07ac5ccc42737a0c6fbc8b040dd380560bb117480f0e386db37f270d2ba50bfb257196bcf1e6b69875ec57ab53f4f78fd1289aaf6f569

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
13e4beefe17afad7f473a0182e5f8c5b

SHA1
57dffe7b7ef1f279eb9da560ad5bb8fb23bcabe3

SHA256
3080ae2268de8c820dfbf2711aff6401f5b70a030005be50838da98f2071974f

SHA512
e9f497ba4f1814a42a8c264249a6ac1ae1a6fff9e951eac5efef1387c6c631250abe30dcc32593b48e6478554f99d1c6546847b4ac70d67490ed71f91b8cf193

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0b9852c7724811098d8990c58d1737d8

SHA1
d03cf3d7262a33e05c921d702572a75418b0831d

SHA256
a82022346b3f106edd575ce01a5f4e5f8ea685ef0a62c9f66b0df6bc38b4fd32

SHA512
93035faf969f1d030797eb0c47eed6aea60faf83cf1725ae8545c65415bcdaa68358adb3e744a7b27f89fc55892872d759c66f1c7b555d52567028164bf09146

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66f08983d79290b1414000becae2fa45

SHA1
5a763b9aebcf679a8d38b5e9333943182aa3410d

SHA256
0169f8c103e9975cb0fac442b3727c8afd9ad0c3c4e01521f6debb386613598c

SHA512
044492866a19ed9f67998d72a5a8ff449a19dbd567a2678e4d9c3aba484a8789502ef00d7ce45ff5575afebbb1aec3f094913203f1aa69c6156db60c3a37a4be

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
685ff678ea5e39bab8ed8629e142ef1e

SHA1
fc6995b9c7161b6b0b06d20ac7ee2c0abdd5902d

SHA256
429fcc268dd98bac0ebd9fd45a49f227ade17f944b62ec6c4144060e1a47c42b

SHA512
faf967f2efd901aec7edea3e88c7a4702db703ff081f900bc987aceaae6b224ee477688c959d98988cc09f24875fbbbc5fe0bece9d8767267168ac07c251ae12

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3709628d23450895e54ce6befee19492

SHA1
4645a349922a407ed63f1c33ab8028f185ee08b0

SHA256
833c198e9dd29f020b5ef81c41188011c2feec91a02791c1b4d67c9fdaa4c0f8

SHA512
e532460736ef7abc3545b952c3e483e9eb6af3d5e9ed7c1dc5015baf07f1857bf0930abc845857ad941117df1092618007f1877eb6a54f571ef723ce39f565ec

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2927e4414833468f9944619e057296b0

SHA1
63557c118c249450516df650d7a0bb898a033e63

SHA256
2f22474141262ad8e09415fefefdd8ddb4645e96f12113ebda02811309224b60

SHA512
124cc2fb3d6398dceb0ed7749f53dbf87a009ef6a24afdf47b8f9683342e90c3db8d045d2e759daf13d4c850a7d6cdde706343d7908177d8a399151fa121c535

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8a8d4354671add2b72e1c1fc4a0216a6

SHA1
201751bf13f9b7294d1e8ff855bee6b139c22fc9

SHA256
0bff45af06e87c77ea2f304185d609c21b16f1fb0ff727684907bc8bfed02631

SHA512
483a49d4c16f0ebb5948cdef4c830d34220b6d8ec50ebd0e6c01a4b9cd02fcd5598049385d04c0b32326b791efed265db820954dce337b901dc175a285f4ad04

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c63f71c57a44f80ce1c6b5ba7022f809

SHA1
a49cf14a2347e154ba3d5dfb95f9d11f1d08d37e

SHA256
2e7d8de197e53d344576c791948bfdf24961c34d05c93beba2e0eb37655b11d7

SHA512
c6532d056ff8280240c118e55ec062e33d68d2d2b4a1a9ebd3e07fe2157a99a7369bc10eb2ebdbf9b8d10fc6f883632cdc497df10b7402b53d18a031d2615c31

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3a06cd06e3f83fbd2be66a1f40a14058

SHA1
dca85d75e3d7f9a9c3e9eec46a7a1f51480c0fc7

SHA256
c9f35a55e3ccaf3ab40abae52a791bcb1bdcd32c851f82d45486d267071e97e9

SHA512
061b62cc87acee13579273e74046ef03e51ab14c5ef6c136c926ad3aff08c3a54c7b86461df09b0d10115294ea53329ef8932bd98de54b3b46e18e5bb7ad631d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2aaa8d2c7ba8a4016d1111d445784adc

SHA1
dec17313b3becf6436cc0f6e1100a18df18a6fe6

SHA256
644cba975b83c90f79df1c63ed7d2ffd170f4642d4bd36a8cb9a156620fb151e

SHA512
a02d502f30be16a21801bc183331d5de133be9e7effa515f060a5e384be0b1f508ea87111018ec8498f6a59b018a86811713e6c35813f79810c268ea42178b54

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb50c350f0a21f13e3d93c5929d8c436

SHA1
d1621c23975972ab51073fd03db5c8adc6dfb29b

SHA256
3452d6464056178f45a6b37b5ded5abad02343909332a8a4a147cd064009290f

SHA512
412a5d5c021e653f0a37c3bd9403421c3c01e0841c48f7660f216f716e9d89c5bc09a16db4c918eae4915705878589cc6b959c4e69035aa8fdec7ff0fbed1fa7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
efc4d77702a57c5cb3241f9ad47ad86d

SHA1
e0b096861620fb5404cd720cafff5e7b5d59e4d0

SHA256
78e7cea9f9ff867013e6c7982bc552d655a08d3e64549817a68bce1716c0d9c2

SHA512
805e31cb4f5be9818ff336c43d401bc04268ee2e5195db7c893a510653b8afeb4beb30ff9b17cae8599d519edcf757d6899f6fb860bdc6603d4fa3cf6d21929d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1c803c8373ffc1d34865acb68590ec5f

SHA1
8b184c6e1ad65847ead3e8d15d61c7a267d69880

SHA256
5c5de35a2bf562391e0fbfa378458fd8a567d2f967df101e2004c2865caf7bc0

SHA512
b0381b9b39226b47aa4f077e225b9838f32844102c72c503882eee1f2b0edd68d7865c90cdb16aaeb8904d6b871eabb40cdec8e58a30ade289cfc1f6f0ec8d42

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6f1b0a7787dd0b9767d5f2c2186dbee7

SHA1
51ff120fe4ab6cf4b718a9120b4bef717642b7d2

SHA256
f04214a85c42347cee14984a2b200d4bb24bfb053dfc51292cf2676b61162e0b

SHA512
8a42b98377e580dd2ee0ecf36368f72a255334f4d9e0d3980d3fd4dc1bf3f4268efa14f54f8c388b6339caebdb58868b2f03a3907589965a76c6de869d7aa9a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
914a8527d2188d8decf0f4b99e2e6761

SHA1
997faf5fa54cd02ac500cc1b5fdd981947e34863

SHA256
db76254e05ec0b01d555bd262695f20d90f931923cab83468a8ad4f3b9a28990

SHA512
95a58dab7cd164b7d2aede6ca7316400ce875827818150ea550172235493d2df0e1bd38f71975bb6f3dad827c909864871a0140de19e9023fdaf3f7818fd8907

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
304b72447018f07ed796f65cac5ae25c

SHA1
89da5b1d90a5cdb52c4e92c2706010830db6cdd7

SHA256
cbfa06e36d4d7037681b81e1d65d3bce13e1e7a20d2744a15110b1faa0254a7b

SHA512
6537c4b9585417f2c04ea877364e100f5d4eaa48562c31d77040b15ffcaf56b3e60ff3dfc65fafa2b3b1b64876d6587e829f0f740739072b45924d04cfa11f44

Download Submit
memory/1552-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-43-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1552-37-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1552-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-68-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1704-203-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1704-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1704-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1704-19-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1956-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1956-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1992-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1992-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2084-195-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2304-65-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2304-47-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2304-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2480-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-82-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2480-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-86-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2556-155-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3404-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3404-97-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3768-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3768-488-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3772-513-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3772-184-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4076-157-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4184-183-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/4184-1-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4184-6-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4184-0-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/4240-158-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4348-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-568-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4408-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4408-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4408-33-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4476-563-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4476-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4672-156-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4716-246-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4716-567-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4864-223-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4920-212-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-514-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-396-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4936-160-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4980-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4980-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download