ead6a2fe7859b8f83f3c5521f2d7c8e126196b2fa9c5ef6ae69b6f662409dc0e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Size

1.8MB
MD5

7df39ef22ee83efe4801e459dc02e9af
SHA1

3be5dfb26225d6ee576e599487fbed0f06eaa8b3
SHA256

ead6a2fe7859b8f83f3c5521f2d7c8e126196b2fa9c5ef6ae69b6f662409dc0e
SHA512

7b774f416cbad6e3d0997367ebddcd9798edac1aca1de583970d80aa61958fd00754c1e77280867e68fa44227c86646dc5dc61d062d59b4b8a34a7d575e79dc1
SSDEEP

49152:FE19+ApwXk1QE1RzsEQPaxHN7gDUYmvFur31yAipQCtXxc0H:m93wXmoKmU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1004	alg.exe
3156	DiagnosticsHub.StandardCollector.Service.exe
3144	fxssvc.exe
4856	elevation_service.exe
4288	elevation_service.exe
4832	maintenanceservice.exe
220	msdtc.exe
4468	OSE.EXE
4268	PerceptionSimulationService.exe
4968	perfhost.exe
2660	locator.exe
4524	SensorDataService.exe
2964	snmptrap.exe
2684	spectrum.exe
4792	ssh-agent.exe
1380	TieringEngineService.exe
3920	AgentService.exe
3116	vds.exe
4360	vssvc.exe
1192	wbengine.exe
1108	WmiApSrv.exe
1968	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8afd82106003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80203\javaws.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80203\javaw.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000003d5f8e22d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f51538e22d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07a1c8e22d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008738bc8e22d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0dc1e8e22d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885ee28e22d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c54bb8f22d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b25a3f8f22d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeAuditPrivilege	3144	fxssvc.exe
Token: SeRestorePrivilege	1380	TieringEngineService.exe
Token: SeManageVolumePrivilege	1380	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3920	AgentService.exe
Token: SeBackupPrivilege	4360	vssvc.exe
Token: SeRestorePrivilege	4360	vssvc.exe
Token: SeAuditPrivilege	4360	vssvc.exe
Token: SeBackupPrivilege	1192	wbengine.exe
Token: SeRestorePrivilege	1192	wbengine.exe
Token: SeSecurityPrivilege	1192	wbengine.exe
Token: 33	1968	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1968	SearchIndexer.exe
Token: SeDebugPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeDebugPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeDebugPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeDebugPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeDebugPrivilege	3772	2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
Token: SeDebugPrivilege	1004	alg.exe
Token: SeDebugPrivilege	1004	alg.exe
Token: SeDebugPrivilege	1004	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1156	1968	SearchIndexer.exe	105
PID 1968 wrote to memory of 1156	1968	SearchIndexer.exe	105
PID 1968 wrote to memory of 4348	1968	SearchIndexer.exe	106
PID 1968 wrote to memory of 4348	1968	SearchIndexer.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_7df39ef22ee83efe4801e459dc02e9af_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:220

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
23dddc9730127a40e7922720d8c80e1f

SHA1
f66761f6017cc7396617e02e28d2617cec386ea8

SHA256
9377a9786cf891fb52b5ccce219f6579f7fd922ee40680f2f387d24b0b35ff48

SHA512
99ccfb41ba4dd2bf00ce199842a5d7a7ad18bc85b1b04c2056a29954db68b32d7d90b21b1c22e3a7e0bd52dec77fea4e80b4cd21601f558b2636f471906dd61b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8f160e0fda6ece15955ccea2ce28ea43

SHA1
473fcecd22698a919f45e268d89c5c05827ad749

SHA256
3df6062e15e6d174ba68252a075ca38b57455b7e3378495baa090b04cdbf2c85

SHA512
1ec726e7030a45c65a0ed75e80870e8b97b95b01e7e465c8bde6473df77fac27ae37b49259d0861432927a6d0967778ff0fcfd6c50caff7d17e49ad001bb6c4a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7f26e4ccbef96a6f3db4602f040db1c0

SHA1
74895cbe9ca69b887d35a6978a9ef56c39e23880

SHA256
42e7e93199f01e99f821c4f2a9a75517a4cc2bf8d9243a41be05a1fac0b84e16

SHA512
394ed4c184308820e596a68bd077db83e42f3c7f5640f2f3c09fda5b2a51d8e6661bf2255b32fb389b9e501363df0cc3a96106afc7cd9fb60faa86d54e65aa81

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bc2ad290cad09c352bd11ac3cb09d76b

SHA1
74ad1556557bc859a09ed45f1ed65c910816a4fe

SHA256
f1503c7d34a71948613522d4c8212fd872feb8aec8331e2889a758da2cf35b4d

SHA512
2f4e772fb3bc056c166c0c1801d41ed9fd34b5a75ad3ced02f2479bd7b35cb6c1f69b0e8a51fd8a587cb92c213f019a4f83e6fdf63511aca3d52da879a44cacb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
90a8359ab8d59627e48cb7a2ce61e1b8

SHA1
a2884f451d7e2adcda49bb0126871a54fd483b87

SHA256
041dd6fda7cbc6af4b3ad26e62359203d9afa667062e1478e35c513b7a9af62a

SHA512
2c32424becb6270d5542fd6f43e8a4e76a854fc647525b1e7bcb1fe988d0b8b66262f0849e859f3d9d6b18a2b3451acd15722adfcd1b843a1e9a6abb032cd751

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
57a0e6ae9e5c98b1567e68060d54a128

SHA1
e11bea78f5cda0a8e47fd6eb9aed481d234402f0

SHA256
5c667a7b769c8e48518260e8ab646333f1cb4362ad7f646ebccebe2b666ac334

SHA512
62020d4128bfd4e58b2bbd921ba35b9ccd7d72a0467c828543f7bafd7378eecddb72e9e734990ca586c997460897a52b38742e97695cf89b283417cdb3202018

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
bdbd4136c193cdb3738c3dbfab414d69

SHA1
40b270cf5c6e4c1f7ffac8cde1b1f29291205dd4

SHA256
d43f182e73d9ffae91b364a60737bd3381c348f15f4a9fb156584e465429195b

SHA512
a2ee4369f29bea1582ec05ed3fe8570d3afd553edf5838cac1c524edbd3496cb027beb3b2c777413ceea737eec7466afc816ecb3d4b913bce74f77dc1eab4222

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bb8eaafbaa934c1650a7f6b539ce0700

SHA1
09a9b1d86cc3ce2d81a2b8e428a5eaf016f69aec

SHA256
14fca6e9bd645f3a325763efcff76d5d37eb56fb0fd9964457b795733f343cd9

SHA512
ec137729d5e423d6dbc431641b860ed034ab939e75e1021a03a0c4834446e029a19c92e70eea6585baaba80b79658199d0ae881d6ea2269093e7468bcf01e92f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7c470c803fa899d415762db166f91df4

SHA1
5f30696a6ba072f55b4a096230b7a27a2e28b28b

SHA256
dfae19c0b1a4ef8f9c5833edbbc50c77fcf8f1e71c9f74d659dfae1d2cab22a2

SHA512
1d903aa82fb382a1facc7ad8fc5163b2dc11883b1b83c8181416bf6f6ab1e8cb96abad7a9a676f273c71a4c9c52546e5e778759c8e536b2c031f719e8aeae897

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
45dc2ab4670e14fc885ea3433092bfdc

SHA1
44eb31f19ceb2bdd8fe44255fd0bc5f0e65dd18e

SHA256
7f0ca11149a8d8b24de731603e1346d1d958ebb9be44dbce2791a23b2d37e451

SHA512
83e1e297b253496c50c6647a78eb65a2486110326726d0e2954d24b6312b6d6680fc143b927a9d34530981fafa54f223e7480413bb20df5779ea31a27586ee41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ab54f58afb50b88ccf79834f0ce7dbee

SHA1
9108bcdc3624d4b6663f13fc87152dea18b8270c

SHA256
9e0f8dedbe02f7a007aac589ed5e0608c8d0c15b82d5ff9361fe4468ad6ee311

SHA512
52e3e4193c15c71d4a0fe8a9986c2c5d9175305455d51041c424e671e11359ec81a4b4950fa9dcec0aa7d62716794a8880fb907b208425a24d17374d63652d4d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e30ecd020e248ab9a3140c0c50c26df4

SHA1
bff96da91bb676d3a5f70186309c83f49d88f03b

SHA256
a748ba5cc6d9381e13bc982ef6a1ff4aa30d0eb373e0ac825e4287e478d1efec

SHA512
96861e242858435f93192603490aefcf59cdb4437813801e6a117ab6cb6b00b7a8cc712844444e61e0165ff5b91a6338d8034f4030a8754565c90984ed6cd2e5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5651b24d2c1bca76cb946f7c1a7fcc60

SHA1
dcc88630ea005a87b82134a135a3f9c7adf6d628

SHA256
b23cb267ceb10967b7f6320982cb69bd526c79e279854b98e625c7c023af1ba8

SHA512
cdfe614ec0cab94fb9991333024e0d5bffa40a5cf04f77d2580b585badcc996d458f95e381611494a6939cdf3202fe2be20201befb2fdcaa40735a9e79602ed2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
128b23b070ab53999cf05e0828a3b468

SHA1
2bc0c09fd1f64779fe773135575024aedc6b090f

SHA256
6a8f665b865480581c6dfb98ef54b3aec64c870ce4fdbbdb44326e3ce8f165ea

SHA512
1c2822c8513336bd14c62af03cc4a7d819bf933a364f284dfcdc1e80c2ff21538eb6dc6f9c51ab60d2eeb259aeb090105d1cebb6737c8096639744c8343532c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c9d5392af18b100c7bd6e0174784f74a

SHA1
020b5cb7b018b81f69ddb76fa331049ca112be8d

SHA256
748c887d1e7cbce17b81a14f510d92cbae53a75bcfe1d0738d31bb2d80ee201c

SHA512
912290b8cc9305167acd46f61eb8b0bb670f09a4f1f2c6f9baeacf5f3205d5755462ca809662ee38864fe4f5f4930a225f672d1ca6aa4f870202ed6ec572a74a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
e98f22443c344727ec6595e68fca0174

SHA1
1ea73d0456050cbef162705ba81ecd71dc0af9b5

SHA256
1c71a8df6a8e1e6ccefe82c708a2e7b132029fa08288d7c351579e8a623ddd04

SHA512
27356245e0cad61d64756848898ef73737a7c7a30857eb772d183021b4d34794348452b9bddb98049f5f5a2154898e5cf8ce42d04f619083d7268bd98d4423b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6e4d3f7d49130ca8d381fdcfd6ff729f

SHA1
9995cf2e4aac4a3b52a1c8766e32cb732f0d9ea8

SHA256
0bbab5a530d1285bca1efae84459e42fb97e73b6011d94be684ab55c3c84adfe

SHA512
95923815d7eba073c2f55b6be472f829188cd7f0654402840263cdbb58fe5617183eecfa6bf7f24f227a32484bd866f86bfda1ad4cb98d1a10aeccf4db64890b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b605a78d05286ab45d1c02c3c7afc528

SHA1
b3ef61c78617ae8943bdcbb2e358b60022d49608

SHA256
9a2fc0d0450833015aeb359eaa6ac70a2d09c4e33489206adfa324663fea9494

SHA512
801044fc6e7afd4a944128e593eab7f29ea4db08593e12686093ebdd94ce4462c0e164ee1ddfcd07cc3983305fb4cf614fe735ef94e77d2b1319bce3475318e1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3253280c064072cd76c6875dac9f133

SHA1
c1f3c144643565fd1267c13956c35442d3b4389a

SHA256
6d5f62fc5fe2d404ec5fb473376f69735143fc6ef2b0ffb8774ee63304c02b05

SHA512
4dc1e19bf8eef052881300a5cb38181a600ab38184cc0a2033341e714fadb4826d0441497662923633d17ed3ca5b0751e6e6a5c5b9e1a2a8ad3973bc5d7e141b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
42ceea852c2020b1d93a761529983bef

SHA1
eba7d9a6765ec51df98d01a66e32b6d249ee6734

SHA256
e9e2a9b5d11c04a5a67d8a8e53053aa9d50c382438e89949ed490cb302574f09

SHA512
8ee4acb41b0b35b958aa65ec88bc66a04a1abb906e51e4ae420af9f0b8a8fb336a000b38dc527add2ca5fe47f093cb6051cf1e897180377c275c8fa6165b2835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
03b4dfdb3e4a475461bb10b7cf0759d1

SHA1
89881c1ee9b6ba815b1eba6312469c19ab0cf03a

SHA256
59869157029dbdee58c5040f8316410d4e90c3f1361e49f797e6b34b3c95d154

SHA512
dccf773c56381842bc4a9e2d3700a8fa33253723d9f93ffd57169dbdfcc1c3a8efaac044a68dce591dbbac71323dc29e89128798544c977fed30d5800d0010ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
72546afe91307677553ccffa59b7d685

SHA1
569124f57342e77273ad696fc4e02a0be6800442

SHA256
c5221d61963d8803a1df4a317df0f023acb39a694135cba87eeaf40a36eb0a6b

SHA512
6970d95f53ad1ac49794e69f32ccea97d4f928a1d9d7fab073ecb74d516514ca538cefc7cf0b2e53b30946ceb47f0c5c208f9c9ea9c7b4eee9972d9e47b2e132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
89ecab2f84011b63003ffb1222a9edc7

SHA1
41caa779270f2ef4f5b378d1e5362d3f340cc4fb

SHA256
46c5e41e21a2ec74b5da46fe3361216ee7ff091253e499c57d07a30a07d05893

SHA512
8ed20b3185a3a4729760ce626077017e108743b2e2e5dc6ee0112029152efbde3512541ab162ccef296eca041150701cdae76cadccc61150fa86d9d3b4b3e309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
8835eaaac3c006f875231ae931a2cdad

SHA1
364ec363f045e0c460869322f3c7f3d2965e45d3

SHA256
f9a20bb19f70c3ce88567dabe8f5b589a4854fea3dbc9a4da300b5994bdb6834

SHA512
0510b6593d83ff2c88ebd63222064b0d3aceb626b3b5fd8132cbb9e57450f8b3724ed3c4a30a5dad6f5479f6a3902d1d962769352f2611c7d4b5a5945027aa9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
764c2f5e95e093b99ea1636967ad0330

SHA1
f14131459dddf471cc84f8d967e4d4d9055021b0

SHA256
3de13911d4458e5ea7c7e9bb9dc5f143501032c9b83b14661940e6da9651836f

SHA512
6d1cdebae7a6f8722cbd9016748db75e7216da15f9c9e22fd816611bccf7a731cdcbd842c39dc0ea8def3f5e60a4f16a015c661a6e61825794008b39783cb707

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
dd5110f98910061ef0809880a4530524

SHA1
3574759f05fdb5a51bd8c22e95ec65e37d78f6df

SHA256
9a89233763621449c52d45f0d70d79b0a761c734cb17e5e23e42702755e435f2

SHA512
a7ab919a9bc5d66894301dc126cd1fc26d5e95ba8c7d62ba1881549320a7c9b6dc54fad63f2654b544e55181f190ae467f944c4c2bd17b078703e03e14116999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
1491b66fb3bcb926f9e18cf9ab8ec3c9

SHA1
356e9da1cfc4a2dee399ec337a152a8bd0f0a2d7

SHA256
8f1085fd7f25fb99d13b635850f3196156e702af93ddcad091633c40a8d7d4cb

SHA512
45c95d8993023e094166ff4128bfe4779961fa52d5a48a77bac77ea0b83dcf4dba54616d037e470666cd0280ef3555635fc4a54d3e68bdd282398ee944ab823d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
1fa9573f508dff6ec95356a414795d7f

SHA1
3ae94e261c71aa647faebd87aba3bf9f9de35de9

SHA256
57b9649655712174f4cf3ed264c99b9c54b798868411b93e098558e9bcef8961

SHA512
4e8ab7fb249d3bf443e33dce08268c6b14d8f377d54dc625e30e4dec19dc2ea063e37bcd85bf7fe4c9fa51bd859fd6dae3c3237207cff29373d7e6987e2f5b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c5a5cb1a93f31150c4ecb0f05331fa79

SHA1
930a134b1183d24a6cf97ea2cbb4c2772eae3376

SHA256
66864d38453e4b3437b0c285e8b218ac0b32c86a9e9622237362fca73e0ccbc4

SHA512
fdadd8299f7f011d5147d9531f050192c115762b36164b3343996dae584ace900f7c483123820dc9526cdd742556e3f2566b7de29202213eedb2e3a5c5aaac25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
27d99867bc5c68d8f6864d0356c2d6b2

SHA1
bf4bcbd9e7cb463ef864be3cdd238b9e8c5d5ded

SHA256
cfc791fa3ef80b1505e8c08cd5eca96af15930ce5e57fcd56e690258521d9e21

SHA512
73e369715eaa63ff402512ac7068c32b363f063d6211958ac39679ada9f2a1e0f60400611d930d48f30253465187585e6a06c5380c54fb1082d9ec46229e7e70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d685764207d0fa1779f398579c1b886c

SHA1
5c51ac5d42b1865b1a80596e96b2579f38693f9e

SHA256
2af1592b84434c0a69149bf3d5f7682e74375bfb7d3a98f198f24f62c6078e9f

SHA512
0c034913ef64434591743ed622f0d11ba9ed83e6bacb91880980364d84a9dd9ee4c0d92d8eae4840e60aa5951967c55c77a0c6eb4597c4356c3a023f66cccded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
d88eab33d63360ce86e13f3921641470

SHA1
2f48585e118716cc0269e5978382976145fea0bf

SHA256
d9db07b0c76f815bcff9a0d67da7b131a436cc32b6d46a5af2adc101db62242b

SHA512
9b5b3495ed5acdafc8a7b4adcdd6754ac814f1526b68eec5f10d12f961468eb5d64b9241f0255d3ec348ad48be567a13e6b1e948a5f76519819e860e6d584a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d79addeab1fcd40441ee2bb136415f4c

SHA1
7df93e69c53607323ceba88a15bb60168516358b

SHA256
cf21586b599854f67b7ced906627c52fdf1eb54dc4de31d8616e0c2463d932a0

SHA512
dd5529c2f7dbe82606ac0dae7f2ad06884a201fcf8e1a75c51ff393da301fcc807c02d1a9cf1666cddf567a930b3eae7f48afa47c11c75fab7c0ed4f631b4cc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f977d53e801e048d5d3fc82a1817a2b3

SHA1
089fb018ada7c85c65834ff57c5293a3f459149d

SHA256
0e37ecce973ca34cc7813b6e8cf61da8d28c50aaad73593f06f5156f3e42366c

SHA512
ff38d628bbf606928dc7502e41e8379b6f75bb0e159f970464f5a72df1cf1b21c83f5234f1f7db243f0a527ab0038753ffa3eab35c65f2b42f8563c129ca08eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
99ac8f17fc28c8a9571ea1c3b0438053

SHA1
57e20ccb94ec548e37dda15e6c970355e002ede2

SHA256
20e54c6a1c9ccf64d18488ce319ff8681181c334a4b6402fc990927ff4b94e34

SHA512
f2d0f6ee8684cb94d1eec9cf813cc5f31399a375edea2eb5200709b8bdf33ff51d278428cf0f6f5254cba3adc19dfc4174a8d5558ac792f5251eab000b6d6765

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
74be7d5ed249f5772500ed38ec759f35

SHA1
b898a97b98d2e5b93934c08500ad8a1a059d1244

SHA256
50d44cb7e2f731372330bb1f3c0edce6c9e106bf2b2d97f35ffd2eda9bccb6fd

SHA512
c13a86135aa0fd94de2136d779979f417d0c7361af78b725796418e9131a6abbd1aba8cf6c151cc0d3ea951c7caaf2648a68f90943ec031933bffa43ac4edac8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
71f303d8a5e0ac802529f68c204318dd

SHA1
352f137edc1bd0fc912de7efd2345402b8d6fab4

SHA256
d84238bae61b13d51e98e19d595ffe865ce362a4484e6cb70eec39986bc49036

SHA512
e99ed34dcf3fba3ea8c92b9da6947b594694dd7ee86d46a6b7bc031b7c2b3d99d381b4761933f946055bec84fc2b192d5430bcf15a6047f8205315b83d666593

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
a4827dec9211c984bbcaae96972db918

SHA1
ef0b212bdf82d79ba541c8d6f08c61274636602e

SHA256
b38d228b6b6f131dd87aa48cdd754b826a3a848e593e5b8708d71a0f4ceff340

SHA512
a2843f9ba9039fa1fa4423b09b08340df85635172cc3a45ee238cfab013677049b2d1032afaf241a2fc50d7ad9cb3fe6494b49bcc47c77178f814c30c6f41eea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
398d097149fd05312f7aa15de15f247b

SHA1
0be1d9da0ef0ab833d39852ade4b2dffa090ff6d

SHA256
cd4817899202e51ab33a16a2bb1e0cb4f566518b59fc43e9a8573dbd8a32c172

SHA512
53bd91e20ac4cb1ff533931611ad58f6ea43a1645dd457a05a05799bf5d3bf8570855c85eff3b4be117eee12d965eb339a1617bb8c484277808d7afe695eb80e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f78829243117e300a5ffebfab6ee9b1

SHA1
53c61f0212e1f1374cf9bca4d86856886fcbe3f1

SHA256
b6f1ad6a6df545ffa25f049a96c1f1aed783764b52af167641c3a5595564db41

SHA512
ab59901542d792f3d0fa1cb0cafa4984244e94edfe4c64fe6d5d878a63ef7c448c3bdbca3bb97f10a5034239a296e514d74b6f41084a777106c88afc3f1647ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
6edba02cbf84e973565541db9bab5202

SHA1
ad455eb95e6b74e2db54b8461b9fe07d48885f7b

SHA256
618c303f9ff07450b29fad465f8847c0a74748904ae8b85e5db105a25b17f6ee

SHA512
634f9c2b21d29f2e7d480162487ee633b6e4c755388436d3f720e80e74375656994db641114fb657f79e9422213810cbb589197201b73c1437a35afcfebe6b2e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e16309074390101bd67a751b515e8184

SHA1
91a90202c92894e84f3085a8eb50df23ee3b87bf

SHA256
dfaeccb6a179c0146194c473495df2345c56bf734a9fd2741d71adf5ea31950f

SHA512
530c10de4a2f4b1df301600a68b255e538441091d183d11147c5f4a0061ef151ee465a3448b06c4c8f006b592bb98474aa128c3875a0d0e5a253c78461e8cb1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2a852338c78aa123b26434cd8b7de87b

SHA1
97f92e71575af5cff5fd633e1249f07824568357

SHA256
a07fa4cbf6ad2e4629b15879b523313e44c2d80f1e90b81ddbcb0223b841cc06

SHA512
44ab3bb9c7df771f5932bd583a595ce991504ad84de5a4ddd2b5da626ba98c3f5b406290d60264e76470b8d1e06485ada0d01606dafd31fc59f17be7c820f108

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e31214b0f3f198bd76f75df6ed179614

SHA1
38fc40b378cebf1bca2933369ee9cf9d1aa0810b

SHA256
4e732999ac978f675415fe8cd584f3eeb99f685ea3a199368e654701a17914d8

SHA512
ddf9fb799f2fc2f7814989478f8e31aa9d944dd0ae247d602f14ca6ac18f97edac442c6e8b6779ec01e23b877331e46d4d0ff9ba6f0a521c039d1126f13de2cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
e1e00f1570b730f4f076355c980409df

SHA1
8daa92edee14689dd4fcac687759e1c3e8156ca3

SHA256
d201ab40f6d4cb6b63391077e3125d4726b439686d2f2e1773c6cf1f10e5877f

SHA512
db54fa67b4d69ca1ca0c3662f40a73967df92c706fc6851e1afec6847c4d4b02c53cde8aadaef9ae48aaa4e428e1f540f3203f79b48208f5059e90db26f9ee4e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
31418a062f8c339f6a413e19e52ce3e1

SHA1
b28f99fa182d7cef952bf4334ec723adb665f60e

SHA256
071bcba223c2901e76d6ef8de3420adbab6ee6d239931fcb53ef467b0811d684

SHA512
b1d28eacb15d536e9e507d1a7371ba68b0c11cc1a92d20cadb2a0dbd03772b3174ac8f85df6bf82c81a54fb3bd23347bd6bf1e92277c1f855938065a666d9902

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f25c07b385dba7e396efaa06ac39cc69

SHA1
86d3421eecbebf4a0f0a4d8ee4b4b292dcc85b8f

SHA256
9dd874791e308c419aa962da5043caaf1101a08b1a1c5549a3274504a2982dee

SHA512
ff8ca4dde1705244394c9639a5333eb7b5c4caacd38334611bee2e810f7ac62b5010949e2ee1db5f888cbb57c5364997ef4e7a9a1ce7574671d3d25cf62fe819

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29bccf80d91343a04db7b66778a4f1f3

SHA1
8cd8f48c27271160abd46da092fb2c95b11b0416

SHA256
e2d4231b2c36a3fdec5241e347ef11787288c19e90632e11aea64b0c02d66369

SHA512
11f2846360aa30708dc69ac62c1ce94e914b0a96e777f2628d175311ae684f9339478b7ddf589486e9d18155bb1ffab62e0ec328e518e6212c2bc66c098dbb61

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b3f222ecb9d9698a5c89e4f1a18c5564

SHA1
14c52b9a4912b789caedb5b717a1ce00385f2cc4

SHA256
406919bd6a953fbfbd93c81e85f50c1ddeabe0c8dd66478ac9c7bb8ae553f711

SHA512
04fc8b6676573c46ff7f4ed0bbe5f00b7f90baa6227ffa44075cbaa88584c76d778ab9a38c3d9de73810a925ffd198fa7e258d7c132707a239add64b33b85508

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cbc620fc090306926eff3743a9a68dfd

SHA1
21d26c8dba09032de1fa1d7530c572bb622d052d

SHA256
7113f6d9447f354af11e95cb9aced63ddcf5da246e892ec47bd7fe98b661d55c

SHA512
6ce8d647613a72f5fb749c239577c96016c2fb8569954d6aca375d28f7c71eab186ec9351ce21201d85fede6ad05ffa6fb700cd4ca27abbc8d16ec2ef40ed542

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fc9cd0bd3e7dfc0fdf9e9695f5811609

SHA1
51d4d1c781e2e1ea3b16fd591a418f74342bf941

SHA256
5dab567c27b5039ad0d9ebecdc7054da7eb581df17c6da5cc808e5270f71e781

SHA512
0518ba5177588dc2c1f1bdabb07e2067c3889503ccd541a9ff392fe276b2979e963d899683028371613121ba6d0414120dbee5cf437d61bb7316be4983dbcab7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
04fb7a51de525a0fb7d5ca652f4d9d25

SHA1
900b9f54c7a3ac8446b96d26461f952d9f2b1477

SHA256
f607453e392bbeaae95020b83ac549eb3a350c0eaddd927d6746c8608398dd16

SHA512
6bc0bcd3606d5e23933ea92e96261b219da93af656ef0ee2bb0ed1a7e9677e298cedb42d4016cd156232c26898d48c5ac845b726b9f283be5508243afd19d2ec

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9bf36d51a3ca498e9d0b9b83a668c1b1

SHA1
b62d01b834e7911ae189c670d34343a394a7bd66

SHA256
649ee4b03e4329cfa9874aedc3c682974e0c1e0073caffebc07f31a9330a2fa6

SHA512
3d75f0b396703bfd24c647696520c226f78eb52e952531c24e75e12bb60b49452aa8f922a8aba03b497ca022eb3a8eaa7e0d22c856577e1413d1747a525c0f32

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
59beab93e47f42e9c84d9fd8f41fb114

SHA1
eeed14769d33f95a222f79062bb102f2896009df

SHA256
0caa554f884edf5ce5ce44d1b7646c7795ea17226841ea072100c6417150c9b1

SHA512
fe9374b982476c8028a719feeb7782d39052e7b40b9b321ac06340cbfbdb7f49ee26d59a8917fd7268f9dc14e8c3b3e3e5a3c3196ff0207b824ffd8692fc7565

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ca00a58870e2c81729eef8d1746c73f9

SHA1
10a79463eb3fb0855f7120b2605a32d38577f76c

SHA256
11ce21d6aebae70341fef77313b3a8fcc59693833cdf9507c0280fcde79d47cf

SHA512
2a77d0cb595a92054ae7c8ccc6e83ec987d51637e0c7e88e7f55faa9f378fd94e2950db4cda530fa2772ae561bfbe7118a773b99f9ce18c85ccd11076f7bf333

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5a1ea6ad69516c37aea75b3d8a628baa

SHA1
ee59c1d4f9a47b9251ab298773808cd0f2d17b3f

SHA256
b839749d5803f2ee2e62ab2966cf72f2cf032c98d1fb4c2d4eb7e04a9fbcde0f

SHA512
0df7d1c5ae1abb29787bf2e3286c0ce670b268ae0fbfa759ae31ec9f63ce0ee6ab0ee7cabdd0959514cd9d33105d679c433e9d26a664b3094b28cd7318b64f5a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
baf2681fe3a3e921061e0819e650c5ff

SHA1
b7bc2d8220be001604a202f8864ce79019c26847

SHA256
fa8a07d4a1e2748d817a300f74d2cc5db783ad39f4da4c00990d950b339c739c

SHA512
dadb916a481dfb318837d3492133e21d1759ad8caed6643817af5187e8964af580254c2b514ac1fecaf1f7aebc1b6ddb7eaf26bc5c164d2b76dd8d15598ed629

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f8a6db0780087a26c191bda3c6f52858

SHA1
6738adbf5f913bf46e1a61360bd7379432605980

SHA256
db121186a9a8fa7c7068e35776c22933b26d6a61cb9f30fa90b2a545a9615c83

SHA512
5f263dcda5cb97bacfb486094b48b8c2ee9f8907dfae3fb4de87aa344493d298de4548103aba34bae0802309d6db4687ac413aae24cc55728ff9c9d300cbac5c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
55a376635f3791cd2434689139a2b331

SHA1
3180a0a27fc942d8d7e73177a6cd3fc278130e91

SHA256
91b3a4346fa83d4af35414943a7745dc8fd86230911afe99710b18fbd782db44

SHA512
31e68f60d13b45d5a84a7f78d4da8cffbc0b19a56c3079de46a30b9baf3d3954fe150ebcf80ef2953a84134f702e80114cb56c67136bc23197a899c7957f0502

Download Submit
memory/220-98-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/220-87-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1004-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1004-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1004-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1004-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1108-576-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1108-256-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1192-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1192-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1380-569-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1380-195-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1968-579-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1968-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2660-255-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2660-145-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2684-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2684-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-168-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3116-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3116-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3144-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3144-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3144-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3144-43-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3144-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3156-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3156-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3156-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3772-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3772-97-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3772-8-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3772-1-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3920-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3920-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4268-124-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4288-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4288-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4288-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4288-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4360-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4360-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4468-220-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4468-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4524-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4524-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4524-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-183-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4792-549-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4832-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4832-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4832-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4832-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4832-80-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4856-170-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4856-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4856-57-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4856-50-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4968-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4968-243-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download