f35b2d22696aaa3fead54522a10ca216e9807669a3eff82ae22829a069e27255

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Size

1.3MB
MD5

158a7948dfa4571850e95dea785e6f39
SHA1

4e74ff86d34133e412f38b08743fcabc3afce9c5
SHA256

f35b2d22696aaa3fead54522a10ca216e9807669a3eff82ae22829a069e27255
SHA512

016b374c6a86d61569f49a106d2b53031295574c6aabebaf854ceb522fe9c2f319355a57ff6ade443306903fd64196c19654de9a37fdc32634a7ee2361dc38c0
SSDEEP

12288:DtOw6BakMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:R6BSSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1068	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
3952	fxssvc.exe
1044	elevation_service.exe
3800	elevation_service.exe
5004	maintenanceservice.exe
4016	msdtc.exe
4740	OSE.EXE
3776	PerceptionSimulationService.exe
3764	perfhost.exe
1944	locator.exe
2268	SensorDataService.exe
3792	snmptrap.exe
3644	spectrum.exe
224	ssh-agent.exe
3604	TieringEngineService.exe
1004	AgentService.exe
4668	vds.exe
1192	vssvc.exe
4124	wbengine.exe
4560	WmiApSrv.exe
3628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84b17044240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaws.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099197f5219e7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010b3715919e7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082111a5319e7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee9d9c5919e7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008effe75219e7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d9de55219e7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeAuditPrivilege	3952	fxssvc.exe
Token: SeRestorePrivilege	3604	TieringEngineService.exe
Token: SeManageVolumePrivilege	3604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1004	AgentService.exe
Token: SeBackupPrivilege	1192	vssvc.exe
Token: SeRestorePrivilege	1192	vssvc.exe
Token: SeAuditPrivilege	1192	vssvc.exe
Token: SeBackupPrivilege	4124	wbengine.exe
Token: SeRestorePrivilege	4124	wbengine.exe
Token: SeSecurityPrivilege	4124	wbengine.exe
Token: 33	3628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeDebugPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeDebugPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeDebugPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeDebugPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeDebugPrivilege	4512	2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
Token: SeDebugPrivilege	1068	alg.exe
Token: SeDebugPrivilege	1068	alg.exe
Token: SeDebugPrivilege	1068	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4868	3628	SearchIndexer.exe	116
PID 3628 wrote to memory of 4868	3628	SearchIndexer.exe	116
PID 3628 wrote to memory of 2980	3628	SearchIndexer.exe	117
PID 3628 wrote to memory of 2980	3628	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_158a7948dfa4571850e95dea785e6f39_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5004

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2268

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
ebb1d0d1e70299d28a58e6a945938d44

SHA1
908da2197ce26075b5ffeb9a2b6de3dd2db530ca

SHA256
a54fcb37006dc90c92ed8c1478e086234afe3e6eaa07bb2947b35db94f2d6eba

SHA512
03b82bda22333feb8416ff55a295c37ccfad2837253434104a577c4cf58f99ed67e37254ed634ddd4abe1b1de2887d1ab5b76018d22515b7d3907c9b6f0dfa55

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9cebbb29d1fb8863772f2e4cb7109c0f

SHA1
c47dbc38c9ae101509f4151cf72dc8c28c994ec3

SHA256
1c4ce2a940044d3eaf1c6a0aba33c28d7e71602621a3cf4af15e63fb9180abd6

SHA512
01e75d8cc6f8f26c787a343199004a1ebdd4458413a6039f1e83b23d18605cd9f6798049d86e927756adba9067a5d7a467e2d491a8fd70ac2afb84aca17fb11e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1406d56c308940c81b22d121fb5c53c4

SHA1
dbecc50a1640c13a6046071fc8654350876b6b04

SHA256
ab745200166f419d450f796d1c08d176f86aaa72fb32d00a5f341ecb630db59d

SHA512
8ab3e75f69a64d2f760bd3dfe21d8c4765d3c880abb1e0daedcfcafdaca30f15a7aad56603c9b7029afe85a121b7c207875ca1530782d4e92215040f8d8849ad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a9a0676ef08df28cfd531f47b5e252b7

SHA1
52d2cd1f5d4ae59c93a20121a4424b572ff20e56

SHA256
e945c12d0aa048ad09fccedf6b8512ba375b3fe3a4b63e324d8ec23fca914794

SHA512
a3017c2634956a7d4437a5caf58f349bf7acfaa9dc68271a4f7569b2386472cd20089f2dc5fad4dec041fcdadbfcdaf710459833007d4690bbaef2da1a4411a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ebb3a5455db50743d4d4cd7eafe66a72

SHA1
d756f0fa09c0ddaf8794060507bc04f2f0d11910

SHA256
d7a96053f56cfc9cb22215aa5b2396f740fd491a7200b66d0e456d8ba5090362

SHA512
bbcf18d03871c324d48238463f6a96edc401ffafcf21c7dee6809d7e0dbccb44369cb9a4b77be06c8ca8a6e30b041cf161f6f4f1a74c8ff3c3f2a6eb2e099eee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b91e8a5a4bbc1f7687085cc32855f37c

SHA1
e45c4834548089c02dab0ab1fb252c77ab4eb7e3

SHA256
0212e4a219706d6109b72c04d30ab1fcb51b16c405f2efc2e931b8b3f07e8c15

SHA512
2933566ce419bcddc8d82029bb71dfcdf8bc30001ab3cc8bbeb5fd2797cd4364f659c385af36329e9269219b1a541263b40712601169ff4623fe64fb9e289a16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2855f27fde9cb8e158c0846aeb460d0f

SHA1
a9c83854507c8af3d0cf8facb0e8db383996c0aa

SHA256
6fbc94c94cbebc1ffe32f9712659011de9c8a4dd7c58b58f89ef9e94152e401a

SHA512
10b54a51cdff9e66607ed3bd2dea9c7bd4769d7c645a3afbddc4f679f00e32ec1034724abf30f9940ff8a3fbe0cd057ea7bafd938dd18d7bb5484c89be03dfd6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
53278ee21c5c4a3084e9068eb439e9c4

SHA1
ba5ac6116349b43244877c5bfdd87fdf7e50463a

SHA256
fb2b7a21cab605005183cf4c671306847442bd4345699739c8fe2af69969bf9b

SHA512
5d15ae684743f14254857b631855cc9f48eb0195decea0c359870620038010f166226d3023b918e1cec9f781eb24fc935b5de07f24bb4cfeb5d81cffef3950c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
034a6f9834bfc9f29e91dbedddd24d3c

SHA1
e9e841d4fcecfae01e9e208c653fc233510b8d78

SHA256
2f36442514d78172a4032a7ded50a071834301405ee5368216bec49b7c5fd519

SHA512
15498a06099f4838f55fa0365c8cf8bbd177998fd2c598d2bef7019e79f056748c973f080cf02b6eb68dcce49eefa5f39955ecb21e19209fb5337570830ad51e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6724e864096c6516dc98688a07ba875a

SHA1
f2d7e835e1442dd6cfe555643aba17fb2a9aa6ae

SHA256
dd48aa57d5780a45d463b01fb76e2454251c32773701c5ee2c11cf3d1b0a704d

SHA512
e469371a01b2f6970d9f1360d620bff1833dd714683b4beaaebf10eba497b59c0e94187eae2ed74ac9eb34cb83d3a85368e950df8445adbec4efff0ec85f7069

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
013847f5b9dc5c53322e1eaf4657e999

SHA1
204ff164fbc39640e8b3f982031e87bb297527e2

SHA256
07f05613a5d80fb99aac8f0fe669382e36b411f0e4792ad5a781826baecc70d9

SHA512
59b7089a3b127ea64c66422d44e38674ed4e244bbb59e48a347d1b320ecfed7b5c9eea7bf550834e7898103cda1d9741f05169cba6b9796974b0ff1a1fc1234e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bfef00f1fccd91459e368aeffffc3e6d

SHA1
e8ba59b84f8e7a5317e9cf207eb0e63693f729d0

SHA256
cf7751e1cff9f784577e4da8b066a372cc2a203c3be6750d145e20a0ed88a919

SHA512
d3c4a489a7f9d517af2022fe9796c9f0e5a6178c8872ddccaf9b4b3a4c8cec95861a3509b74a5ee1fdd98abdee8ee793e225a7657b3147f9190a9d7e578ad4b2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0e5a012cb9334a4581489e14477b4b26

SHA1
091ccd57f9ba0d8cad6bd57c2b2a39ebe21a9bb3

SHA256
dae6b74eae41190e892bf26f4bc608f6494b960481a3cf7a09cc51411367c8e6

SHA512
e342be484d895499f375a8a385bea4abcaab787abdc80b05ffeaa6fd49745bc5c766c7521991314a49b38b6e9d7608980cd123e46472a3aa5e692590b58375d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b40b6769e400f6cd32c7cba67fa5d3ef

SHA1
eab56aae5b0c65ef6ed871cbe233a12a5a968350

SHA256
e3def9b8682c35042a4d4f9160f324e92a1599112e011131908e1a41d82c19ae

SHA512
0e6ec947d1f02479884c78771f26118930b6139b2c630aea3b0247d1844f14779f5aae532fae84c226ab7780f9c0acc2dcd6f4313f60a2b8d81d7fe3d7ef2867

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5c79d4aecaeffa93b1dd8576f6d3e55d

SHA1
cea48896e403e71346d9f1d25c153a708cfd4bb6

SHA256
481297120f564fb1b81b1e00ff2ad90d750390903a8f0470cc5f2df8966f6f26

SHA512
8af3cd4e164b08f588e81ccf518b3dac7e414286f5b304e4e175c97773d5821c52af5fc1fbd4dd431577a3dce9bd0f364fe961ec5cb3d10261517da04c863f97

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
28934f18e9f124f45ffa8fffbe12a7a9

SHA1
9d3cd3eb4b700a571c59717d7f720b6592f532fc

SHA256
b9ee197994acc9a954e6b50dbb8dfbad0c4c0c6925f72650f2b788a2ca4357e5

SHA512
4f6ae87da3d6c2aefcd35d6faaf01f7f59c1f099633235a7c6fa1c8b0009deedf0a991dc2798af034fed2230e64fa010538139a39e448fb38067757f452aed79

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2ab6c8a812d1154ed0b6eee188086364

SHA1
fd75aa52b43580a2d757deeea45de089823d48f4

SHA256
48326a28f947783a7b59de335129afe8b8bc59e1a8e6babc4fe475fbf9b0bcfc

SHA512
b58fa0d2e5c8fe15d7339a60873272d6660af4539579a18a89c13ebfee4a992e0791a832fd4e0adc2167793a10b2d627f117dbdd3447171531f3f59aeb9b8bb9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ee4f0c996769aa6f41dce2f65e89b8ff

SHA1
34104a55a1122f9a11a5f7c79d76ac002018efca

SHA256
bdb0645563d1bd0246f2133408baacd6292f6910436de11de9b3ecbebf05d049

SHA512
df3f0ec73fea8374b4db0eeb7cb6466c44c2dfafc2a22f9cd30349aa2020b829211049cfde56c377deda16d28d53e366fd85e518c605728b928945682fea661c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d7a7241dc0dad8c9dbcbe0794acc9d06

SHA1
430b0293236225c0f56fbe59e348c08caaf82b1d

SHA256
f33b4d95cbee4162cfd0bf35a29053f0164bb48340a8ccc4fd64606426c99a77

SHA512
f9bd7926ea706018ce06053dfe85fc06accd11d4a98137c692ec213d95f6391a3c33760d454af1aa51bf95c5e23759f01b8675eea20d1c242594845b45031701

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
80d5ad5a2121353be3c38a188be3a37b

SHA1
c3fd54cc24d5712a074b3ac31f93f512fdfeac24

SHA256
fa9e16e5611fc180872337b8a2e241333947b9d6d06e7a5fd4818d4fcc3d35a0

SHA512
cc93e258dbdfa5352ac4759e91545d68ba7028afe1c1565469e0f159286e9ddf9c1e5a4db9693028dc6351336fcd93f94089520c826ebce26c19a981d54f4b07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d4beab641212a55cbfce969206f278cc

SHA1
53578b3a445e95af2be213ce66afaca1cf77c568

SHA256
c018c888bf4e05594422c6567b5ca13dd3bb0dabb9ab17f4cfac43c1a5fe3d42

SHA512
09c01281672ae649e9aea0d6648ee5c2c8add364b8be92b7aeaf190f522718eb125f5f8001f6a9deb4dfad63ec2338ca4cc31dff55828a10865007bc83fe9097

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
bef9fbe98ae3b788eb539edaecf7355f

SHA1
95e0b39e6ad2ed2b6d7ba9952657bb9e00c9a314

SHA256
5e57f335154d0d0e6022bb46b889bd2a1b67d74bf98fc5e6e46d022eb17da6f3

SHA512
463fc61c806499cf6fe2b7ca157f73771f55431828740e80e12096ccb8ca361547152b6e5d8a8bdd6c32ebbb0416e8c973518b4879d919028ee698f21c703c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5b3e42ef98ab2aac31da928a027d6d78

SHA1
6a42e567ca865a63cc91af3ad473768f2c3bc47f

SHA256
2618b535028f889c7e898a2e991fdcf4d08f547b07908784a9532124daa63441

SHA512
1c35288e45f7eca855227ce1b9243117625b7a0178acdb9afcbfd8e6b02e554bacab8821c28f23c43563da557c1b7bf67ccd51132bca0f5e07bebf931c9f08db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6171cb5c60be35e21c0c51cede7cf19c

SHA1
755bfd9c55680a7974a1acd955d4fbccd9bc64fb

SHA256
f627fc9ceebf55773175b010b3fd4567451fb1902d21490b05cf4b9dbac395df

SHA512
8042ef805e0d6b28fe0e9f10889c2f28a8e14b74a0c7db4a5db887c2c3d4fe9ec5c5f802874d12ef547ab365f38769df3a0c15f8a43e435f1552831343c4d73b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
10813cc4b30325efbeadda6ca6e62ff8

SHA1
20d9c38da45a37e4cbd3e907a9b714b528e34e81

SHA256
b770ce835cd11f8d6769cf69d6dfc4e1b44fd56e66b2efbe3d59cb9ac291ed49

SHA512
1a5376086365d51e904c41412466b316f1cc5855ae2a780e600c3750f7f9712ac5ffe1b88cc682a1c7e5a27580efd0b6b7b5341b8142ef62759579d366619ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2d575422c09a077b93f2e82dbe40d22c

SHA1
5b8e2e8b1a2b38108ca83d2d632590a224a663d6

SHA256
9a6a0f303e97447ded5af9300957278883d785e4bb9d846adaa37990de29d0c7

SHA512
8a94b753821d7be3122253aae5afd6aaddaed2b0576f85b71b7e39ff5de78ca5662772f093ed9663c066a98b7a1a74d49c012c6f83cc844053ce396942652917

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
01c93ef248921a9572be0a202bbef8d0

SHA1
9cbfa0fe1b8a271a78803df56cb8ef48b29219e8

SHA256
1ac918798a0ae1b7a8b0fc601d3958ccc26f06b6eb861183d6fcd503b9064921

SHA512
192e2f389e83682484e162c6e4a2aa200560aa81089efd35a58ff4f5e7a80f44ebfd238062ac0f567e9636ae1a6d0ebddb7160c311229b6ddccb1bf3e501de8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
66be20c693ac792d35dc9c399ffe5f4a

SHA1
f3e4dcbe0ce9d20ae7ca6cdc12cf8c21774632af

SHA256
e6d735cc882dec7d092505df1803b9164008eeffa8e247f2cbf0723c8daad716

SHA512
913cbd030c91ba9fbd412fa14c5df361b52fadd7461ce351abd65f59cf3c4b3f1027a3f18d7f7ad404360318bbc633e75d884d8885a46fdb484f73cfb1753dfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
412f8b6eb63ced81baf0e5136cf58296

SHA1
569a9d7e021a2e51de32fbf751625b7c750d1d5b

SHA256
419676126f2c26401dd937a042682929ef57177352bde4d35d447c80e14ac51e

SHA512
2d9f15ee361f11eb61eca355acaacb23bf7a2ae4083c079df3a64d87b0813f9a5b2fac4eed6b568c8fbaed525ae3227f4f77d5c79b9d9f18e98f2ec26ddbec43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
31f1bae26e21157ab333b5c390e5d046

SHA1
c8585d1106e33f8422151b9a0729d44ecfec8efc

SHA256
ce02093b802a32b7eef2f2a5787b173936f0bbfc1d70fcb11172718fae1de01a

SHA512
89e25699c0ea8aa731431f123bde9f06dd0919451085d99db197c6edff0fab7f5b74c0c117de948a6751bfc170b3e485f5d000e9851ec16a6f773fd8713f4383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8631c8edfe217963713c7b19db64883e

SHA1
98bd155109d7636b6944efe7aa04018c6d5c8a92

SHA256
1d193b7ec6665f8939a6e7d6bd99035c831b131d08d1e503c904705367e90473

SHA512
e775e587693e7c80d7db4c778a28f09f4bb2844ef271eb112fadaf47996b293d08d923ef5108441f9dae168de28edc17bfbd5d8d11100ac47c72c385cc054db2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e1c142ae5ea67881a1899cda1c3eb1ee

SHA1
62bef319b5c485dc59705c0e67b0a2346f491123

SHA256
232db176923ea83d1582ba99bec92d459d4d95c5ba074621cf9e0215ee2b94be

SHA512
d0b429563817024e57a971d8c25c5ec26476259adae1a824ad4bcd5bc9164f2ac26d0647cbbbb01e9d3f7ab94500a710ce063df7280551fe1bceb9e1fb5eb6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
cfaaa977514b317ebb71fcba7bebc59d

SHA1
91eb09d885c40344e1be97e36604b23cd0ac2560

SHA256
0849c620fad1ad08aebb67bd6630139e0d2cd6c0e7332ff22967f9d648098bc0

SHA512
5e15118d49ef5fdfecd55a94e9706088592dfaac237b52bb8dfa32e2c96b6d237e08cbaba62f6f2c7e33c903d33c79e1fbe3d0fd6721aeb68e1e9178bc1b89a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
91990e907f24d5bb7d24fe7416ef7881

SHA1
7243966560b687971d660c647f2aa46616dc116a

SHA256
e5f6823dde68921255f20a91bd5e825c98a08f53be40c9ecb07d7e7fade8a650

SHA512
ea35bed7fa0519d5455b78bfdef82889d3faa6ceb76a8baeb7f8e05f7764a2e11451c68adcdd8a4e2d6ac0da1d143ba2dab8734ab0bac2cc601891c520536bce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
51f6bd01461209b85fa46f07c1b7add6

SHA1
3989f2c899407f5d4d1fc819c711c4391d4c7daa

SHA256
c9e6ca54fa553d141d82bce06477d34d8a5dec10ae1d06d445b3cf3dabd42efc

SHA512
c617174872df6fa2c42518c1bb2a9ecd0f4b492b7476d194013c8fa448334a1afc7204cc0de8a14826b6d0520dadd15502bffe9d6c0dde499fb7f7eafe4378aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6f0375c38171ac74ef9ed7edadacc168

SHA1
314f4421e734653905ebd4824c274032a65ea06f

SHA256
dd98280e5ae247cedc1dcf71ece5b7a0480beb12bb5bc354ac3d7751f845b9e1

SHA512
110e365074b568735fd7de39820188c721710ae8a938374dcb29088010284298c6447784f11cd2cfa8b93178ab16a04763e6b2d5e9b9a6f212b6b6d4af0cb162

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8ca99ff2bf66762e473a1c5a324af27b

SHA1
a18b53b3ac75bb3d625c0bd4f97ab8d21c75f6a0

SHA256
14fc335190efa0556d22b7c181ad8c130d873faf5a74ec07e9d34df4ffa9a866

SHA512
9c3acf0b73611472d3ec657a85c5f62d846e6ad28bcabdddd8c5df3a4874ed2994bfd038db05d56bc085613b067a23c6edfbb647e4193196dcfd98f4e46bdd5f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0b4127ed8629e6679ea41be7acf04a39

SHA1
a12d82ef299b516b643d167cfd29fc3e1eaf36e9

SHA256
f17b3263f817fe296665b1c89ed904c718a0319ba4e187803ba8aa6eb7e06440

SHA512
cf0841acddbf12bb20bac1ef10487ac7df747dd5347e1846018e5b63889964d5c04fdeaf0d236fe4e4ba099fae2898f97eeadd1a4b7c6d2d2b9b0cc84b281460

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5020b3091a0acf6e6cc29986a27c9987

SHA1
39dd427168a486869c0b2d6402b55e28b0752028

SHA256
1a8c709ac83b2ee9bd59a014243c42c6d62860645eba3431f1dd1b8d70d33614

SHA512
5ba2bf0c55fb73098e8acc1ab8d4cc41eb1c88afe7caebecfba70f31d0e28ae6f1b9d3a899570da0d51e1885e06555ba3a44439e2299d3342f367a3d5f13ea08

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e3b7a7b5ceb77ddb3cfce907de5f24f1

SHA1
a8c30ac5c8d22e02b8cdf68cb594a329bf6417f3

SHA256
3a9ce2dc3912a8991ff12a68084e2618910349436e95a498a9f767caad33f74f

SHA512
9ce9d5c45c76ef4b8846fc3afb62e906b1a0a599eeaee52bc71faf72080aa2d3d3678d33bc570479cefd1d4b37f4c7fee680af45fdc3171a71b3e489803f13de

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
dc4619d8bafb60a9d89daef385f9351b

SHA1
2399f196d2dfd04fd07d90da8bcd0f8e4a12c2fc

SHA256
4fc2c3818c2010462c81c75534ecdd566031eb2123357623a591dc38f63d4eb9

SHA512
567ae17f4eb66679f180af53ff59c1eb1c6e68fb4d9738a45123afbb839e1c8a124b393a72f87c2a025c0c54419dcdd9d78565ba9f4986179d5d9283ebc0b485

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5900ae21eabe7a4765079713d19dd3f5

SHA1
e9fd8bf4737a108753621838d0a44d7036df4f91

SHA256
4415a6efcf18d4e8811e7c89c1e76b547aff55a6068b382d1eaab620fef0c91a

SHA512
c666c1a75f6d3a6292d75298ca50b6f40687b94e10c5e8a790c19bdb1c82281e32a24440292df59378cfbd906b9780cbc8e99d15237dbe84bb349993b008d234

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
04df0f8c1b224a43b3f129ec25127a3c

SHA1
f1cf9e645914adfa43b2dfcdfc5abeb053bc16af

SHA256
07cd461b096abc6e403029d51e7ddaa64ddd477f061c5bbe57eee45c12d1aa97

SHA512
67d65de08a3fea114d199a2da35de6d2432102e976762e62e4fdda0eea82a16dbd0d0c5e34a8352b0fcb21f15ef2afc04ae907b411166928a04ce1fc12a77d27

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
38924a9767bd1c644a0a20bd21e4e967

SHA1
5c49b3cd0c8d7bff5f89902406261937a6189df5

SHA256
855bf1f68205fdb7131d70907cce6ce3501583d439b047fe46a210bd6e497878

SHA512
5febae7ffb53fcca067e9e402aa1896f5c03e49fb0c12d7984ebaa42b81474c6b707223648037a42bbda2103816ace7d7529ed8ba350e1cedb578ddc96e0093a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7d5e5ae4da74dd73bf891ede61598469

SHA1
61a06a3b36fef0a8d12d5830fbf13e9adcb24ab0

SHA256
09da3d67c355b7c01097ddc5f20a81671d7da6fb7bc4087bb8768531e9111c92

SHA512
d99f5f2a3ec34de28766c43c296509b81b76c7e26b9bafb8e55aef4947ce137ee32dea21b2a7825d055e646367c9e9f45a42eb886a6a96e4ad74f5a487a3b58e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
75f8304e36e0997e579b636873b6bd93

SHA1
19242a181614611a145529da160bbd33761af913

SHA256
da1e4bdf315e6c7ba14f7bffd521b71b55f09b937ee69c44d030f71e171afd16

SHA512
70c1a41336236bc879415629c574052f8ee5241afc7eb751641a1e39bbc5912329d521d4327b934183a28439e9eda9452e79e448dc442708541cbd2f51bf42e6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a62618ae845dd05e006a4df0b60812b

SHA1
4ee20c39c392135654736789b523c8c51456a70e

SHA256
f657544174c8e4ca47f17a462a147b07e220e83666747aae83a2b6f88a4973b5

SHA512
1ae7df4a9673549c72c4c823bdd60ff990bab507a647e07dc1fccf730a2291cc19b7510547981018d1952d60375991de45e862a59fdaafdcfdf208ef1763a6f2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5276e8fb2a7c9865e93739b9e6d4ff2c

SHA1
d1b1079234565ccb4b3c82495f22fffd74a5776c

SHA256
045b80a970b4c8918d45ca80759de11ad7b92ed92d456a88e7256d1ed4ac49fc

SHA512
d9b4ce21e2cc1ced6b716b1c6026420a9a7a6e6ebb5b86ae02b3c1b0792aa248a0acc5050036fcb4758e60e2e51c7b06b13fae881833afcae46e0e0df2405b9c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
246128784be45c4b96f3ac7f1e7de879

SHA1
b44f2154fc263419930f7ba2bd3af69bca186797

SHA256
3e02b5a52b34cfc5e6c0e4fd83ae226109799e19aea1c13dc5dab40f510fb66c

SHA512
32a0929449343726bbe480ed5dfe01a1bfef425e36eceb9e0291c65317fbb792c1fb121a9ef143a279997b1ef5428b4f5f7e900b5d055c12bc4c600223a0165f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf6651f6c3d26150b8f4eaa482dfef0c

SHA1
e782136290517cdc68bb536c22e241042edc75ab

SHA256
e15867240f65e9caeb24e4cfc3702258d56e9b9db1c024bea8bf289103e62445

SHA512
d0dbe7442d69e905f28ddf593c627bbad70b47d1858b32b076ef8d6577e1fdb076c33980afca9c636076ee6a23811aa9a650d9d646a60cf7d45c2ff92d4c2446

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
03c62b7eb06caf1f25395493d817c095

SHA1
28f7af4faf7b1b1a5d82458dce7a2a9ea765bed7

SHA256
c7e7b200056b6118b72c1082f2d0f6ccdb3363ead7bb2080449712d364fa4adc

SHA512
9b22f5ef10e8a9bdba29bfced3996a647f815e793029bece98dbc6aed66da1ea3af8d2d7181c22738a483ef81f6175fa97a3232e24727e7638857b58b12c2d97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6e37b2eced3b5ecd7e87d8bee8e0dcd0

SHA1
a0f51557acce899fa14bf5e91ac4261426f39a01

SHA256
bdd40adce0dcfa855f11e5f70f07fdc695775edd5af274befbd235ccdc7997c6

SHA512
59990027e0e0ce9792396025b25fa57b5c611d34e7607d2375d64dc7a65a6e72a15805af10ba052a16b659c450ef2dd9c76f3d647bc4e1c055f68f316ac900bc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9a6025d7fd28a6110d379a0938c4d93f

SHA1
13ec005414041ed796ccaaeb292f3b6b0f7c0679

SHA256
bfe4dce763515bfff7babdb6c2ee2cd8eb9f46a4baf2c51c27ea0552476bb657

SHA512
d5f2040f8fb3f496105249d2f051a08ba230b2305600a0bfb7c2016006bee0e47821126db5c472230453932863745ec7fe017fc9fac8474ded1621e7903c6454

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5e4a4bf03712406e3afe5462ef9152da

SHA1
71a344c0362a3501cc21b3d573d22127ecd68c9d

SHA256
e1a946a7c1695a7ed399b66c2caab6c7aff7ea459b569339654f5b4ffcf4d3fa

SHA512
55a544e3182c5ed76346a5b041d2d990fe5ebee50808f906ff62550a4bfd6b428c117e97acd51a5be727f221ba5495ce6db0a1f07b8b51b9355dd4a587677d2f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
faeb5a62d5f6982de6468c5a1e2e4c9b

SHA1
61e8cce46eef2c733f003a815e9edde9a8a14e9e

SHA256
c956d1a03475052fb03eed970a650549b163b37cfc63072abda97f1a53415539

SHA512
571b6bb05e28a763b31bd29cfa99fd1abcf533b599eef005542b45747eab24a2d41c91543d70bed54b09f51cccc3fc2d013a49e32a809f7902f4101b47ec49b6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ab67aef05a47c28d52eaf0e9fdeee87b

SHA1
9910aed7b8d9b11c056c97baaa73f709dc505b90

SHA256
c04c94fc6e6ec1da154204744c5dca668d806b08a43078ae1403ee3b902de041

SHA512
c92e7dcae7743e7022d9d332447c7bcd1d6def6a3fca60b3574d2e1f83029cb5d356deb4471461008078e6996ccac20d88b0c792fc69cff9de577e39db430e03

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
96ecf37c4e810021f90abd8e8e210fdf

SHA1
0e01962d1908b09e8067f5cfbb5cd86749780784

SHA256
c6cf105ab4359c7f33dc87ad64cb2320f6d2ded00e52f889f8955c1bd674620d

SHA512
5b3a76057dd2e778c2c8e75698872f9f9705153a71e776e10cf1d38ab7001a825bda29576ca51e6461d8985f2b932b9e8e76901a8047b2404d601e2c7675c5c8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
fbd947aebce4775dbf14d5b506f3926b

SHA1
59d86d320756c98eb92eaa5e160230c17936f0b4

SHA256
55862a4ab1ba787a4876db752d9bd23e3ba66fb9b8178afecbe1074a9b21ee5c

SHA512
cc9b93f71811131a2073e3277cbe40b72d96ff6e096fa33734e8a0e788cab1f65cb9081c6e2c50bd7ffc0d1e797a217bb5e4b42eaca08556b8bb27a3d624a9fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
642b062e1f1fd4ce73862a06e8732d0e

SHA1
892cc8878a89d8bb8b7d5d616782fce67dad234f

SHA256
7d179acd590724c3376e1f2e1209c3985d7fdb30480b19a58417bb325dc9ff6d

SHA512
bc00f34b5a3e6926bfa25870016ea57feb83139336bd8eed3ee692cee00860456d33a0f4a9a66905d5b3f4be658a5fd78ed953a09c18e1398da25f06ec337c91

Download Submit
memory/224-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1004-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1044-586-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1044-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1044-48-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1044-54-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1068-533-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1068-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1068-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1068-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1192-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-323-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2268-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2268-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3604-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-589-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3764-322-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3776-321-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3792-325-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3800-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3800-587-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3800-318-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3800-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3952-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3952-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-58-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3952-43-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4016-319-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4016-86-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4052-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4052-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4052-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4124-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4512-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4512-484-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4512-1-0x00000000024F0000-0x0000000002556000-memory.dmp

Filesize
408KB

Download
memory/4512-6-0x00000000024F0000-0x0000000002556000-memory.dmp

Filesize
408KB

Download
memory/4560-588-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4560-355-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4668-340-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4740-320-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5004-78-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5004-82-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5004-84-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5004-72-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download