1feff821225e80848e00c76a2e1071d15e6096fe0da6bbf8e21594348578f646

Analysis

max time kernel
85s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Size

1.6MB
MD5

829b8238f3ed9820be1c6ad5976aa6ae
SHA1

357b87f0936b5c86594152d37d7d72ca31a4ab0a
SHA256

1feff821225e80848e00c76a2e1071d15e6096fe0da6bbf8e21594348578f646
SHA512

85232d431b53700043b798625a55322e239276cb836900c4153c7607661389ce18a3f371c5428ec61bdc29e727a38d6e58a3e8031c029cd403f178a77f54af48
SSDEEP

24576:S6B88NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:/B8gDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2108	alg.exe
1740	DiagnosticsHub.StandardCollector.Service.exe
3752	fxssvc.exe
3296	elevation_service.exe
3212	elevation_service.exe
3620	maintenanceservice.exe
2404	msdtc.exe
1632	OSE.EXE
3592	PerceptionSimulationService.exe
4692	perfhost.exe
1868	locator.exe
4384	SensorDataService.exe
632	snmptrap.exe
4584	spectrum.exe
5112	ssh-agent.exe
1028	TieringEngineService.exe
2376	AgentService.exe
4972	vds.exe
220	vssvc.exe
1752	wbengine.exe
2688	WmiApSrv.exe
3232	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\198fd5e983eaefb.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049c61cc5fa3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bdeb3c4fa3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002718cec4fa3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac43bc5fa3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033142bc5fa3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fb228c5fa3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Token: SeAuditPrivilege	3752	fxssvc.exe
Token: SeRestorePrivilege	1028	TieringEngineService.exe
Token: SeManageVolumePrivilege	1028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2376	AgentService.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeBackupPrivilege	1752	wbengine.exe
Token: SeRestorePrivilege	1752	wbengine.exe
Token: SeSecurityPrivilege	1752	wbengine.exe
Token: 33	3232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeDebugPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Token: SeDebugPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Token: SeDebugPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Token: SeDebugPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
Token: SeDebugPrivilege	4432	2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1828	3232	SearchIndexer.exe	113
PID 3232 wrote to memory of 1828	3232	SearchIndexer.exe	113
PID 3232 wrote to memory of 864	3232	SearchIndexer.exe	114
PID 3232 wrote to memory of 864	3232	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_829b8238f3ed9820be1c6ad5976aa6ae_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2400

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1828
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
22082c312e3586055e860aba3d51da60

SHA1
3413e8728571f318753770ecb37602f6e7bf7aac

SHA256
57e5fef090ba7c1214a860bd86185968bd9b435cada2c0b2ce611a00bd125d4b

SHA512
bfe8759aa0180f2f0864358897a5eaedad4d13ca5ceb510e574fb2a477c5bca6532b1c015958f056804da48cce4a1b7f17888a375d13f7b5056037e2338480e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
0113b9af1b8811a4e57acb8a25a9f4d0

SHA1
b4234fa035ad83acf51b8a2d2dc5203559ca059e

SHA256
72278e30347735e3d1aef08a3d60a380454687beecbf64c1f95aa081e09bcb35

SHA512
d1b5442465eda55c68e13fcddaf21f6f894f7e75bd592cd411098125da3742dfaaae10c2c2a7f0f3655e4b5890531285f5dc9da1920c9627123ff901593e2c64

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
db0dc4a8c840eb72ce6c45771995470e

SHA1
f8d33e0b8d5e0f54e605cd2b6ffd05b5adbe1e17

SHA256
f3458f3e238dadafcb0476c6cdede7a9693c797d6ee1f78dedb2b4cc72bf1b6b

SHA512
9a690259919b7e720ec38f046cf4c2e0d431460cd24acd7e884de07b3b64aebb2f8360bb71fe9a7e53243ebe590c1f7e12f1ec42516817d95bcf5456d516048d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fd5410e0ffaaf239ad87d1d5d85e9e32

SHA1
b54bd00e45d8b4df447b2bb3709c8fafde5aae83

SHA256
97eac04644a4ff43754fb18f9a70c33614f96669cff946f34b41534ab68925df

SHA512
757af13d556dfebfddee56fd89811b884e151b328a1f7421fca6f588ae86bbb789f2cabb0513091f9c6ea8a06650e290e2c6a01283ecd787aa40ae1206bd6026

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
68068c24e143e980d0a7022671ea6532

SHA1
9efac1b613fa10c9534a846a602502eae64a2de3

SHA256
38dbae96671233e06438f2f80cac5424ddc19fc5aadb9d16ea2bb36902248474

SHA512
f8c43a25f2b8fbe27d9de3b0a80f30dfe4f70629c64abe2affd780b9bf37271369df2b9210baf5517b48cf593fd31a33057913f92677ead0664e311c8b14d010

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a98518546553ca08f44393d8400e6d1a

SHA1
cf5d42282147f61a0630cb92605f93bce1100a25

SHA256
79c045bbb3e07a4d6e3246bf8054ae8fcb7d729a5c573a6def1cadc233909e90

SHA512
882edccb0300ba75d247dbf8c92561e6ff38e14afdda3cbf0b400b183b98386eac5ecac5aa0bcd5d53f6f567d3f3fb72336ddea5dec3a564f43f154aa791185a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ae7f598a3368564eea88f09e2413db44

SHA1
5988fd474d99a2cbb20bff15fb6c7ee79399869d

SHA256
42c2d258ba53af2136f32c2cb49745f96685a862d9f5ea7c1e3b68b5b0323f29

SHA512
6b5163d72152b7f0f72c044c114b35e82b4f4de7399e4d5584f729d386b9d23e73c6e783943537351ed459077ac0ac2144307e1a2394b88b9fda53b8af039be1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fc0b99760525737b36305ca6668c4dc2

SHA1
21113c1510be18b365dd58459854c152e43e68ee

SHA256
30fcae52be7e08fe2a6c868283a879a9ce1a4a8a63e8c74a95f911cdf887c38c

SHA512
8dcc0a64186c993f65e5537e261c3d757d696b5b1d067160ddb0b1ecbb3ee3148a34a35e4e4b5630dc18983365a8dfdfd900f74eee7f7fea560cf1eb943d03a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
3958befba854bf11b5ce9cb0db7aa102

SHA1
717bba4bd9b75f2419c6b895978537d402b47f8b

SHA256
a593298197a03ca2c13f7f51f73c4e6c19333f138f23cbdcb248b9c31dc7e343

SHA512
0d9bb72c1bd1716972d00e8218bccaa5a2c27f1645badd47a8faee63d3274130e87a327b1e9121c282289d17ab899c99c8248aeaf97e6834d59df6d1c1d17139

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
5.4MB

MD5
05d6393cf75c9dbc957414246522325c

SHA1
5f759760505f371d4c5b78dbd4a3b68d5f63ff86

SHA256
7de8f1a922c41a1669d956870f991f36577a4f51c054267fc25c2984433b6d59

SHA512
c395c035ec2e5ae15fe14c4f145f1bbf44a06d25a71aed831e76cf79b9123726ddd6988fa7b72df53e7ca40a120dcb18d0307dbed1377c24efd6412f2aa6f22f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8e2b3fd97edc25a034aa9e33ee1af629

SHA1
f4be33280faa859be86505751e5147f1828e4160

SHA256
66cf9b65194c23e0206b706af0fa5a55570662e36a5f2c67953f54b576479588

SHA512
620acbeb29551858e097f9fa3a063232cd598cdbf68f64407819764cc17d0412a4d4b82c0d99cd6453159c32175391194967e2629b951beeaeeee917b3829f8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
86d1048d9fb2163ac57d9e671a6457c3

SHA1
7a1230f49d4a84c0a7a9f8f465da19d1d9741935

SHA256
c141f0de64438269d3be13112c9b84a0ce85a78a04e6fe1eacf63e274c5d0535

SHA512
cff7edcae85af2bab2b849572482595c3f5b62c783ac9249e9dc0e0e449e59a093b0b0448f2e4718932361a1448c83d64432410a361783c7d7d4e8ab16f1cbb5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1913992d265531ee00bd806c7246181a

SHA1
dedcf3136fc298bcac6c2e6d721ee221929ba0be

SHA256
b6f40fb7fd661751252f5363ee2674179a0dfd844749965efc23b27eea58027b

SHA512
2fa5a6b0a6c2fd1d8a1a2e2e4fa608bb5c8294fcaeff49715b429b2c35849601518438c5a33ce1a2dee987d98a520b9d9d5947e5c7e6c5438fd6a4e36071472d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
003e957825fbaafa49344636f52fac69

SHA1
5787ef133b27c89743bacac9b4e23b73f88ade5e

SHA256
40ec11a00ebc4f196253ca8a197b169835500a70ac0f005414fe7f7c45597253

SHA512
9efdaaca6ff70a604e2e6ffae3acc97c183acba35c071650ba22c40ac321ee1b206a26846f868ad8371f6fb7bc03f606ed4a39051cdd354c1e91a69dc4b36d6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
defd8947d7ced7104f644c2358f81cfa

SHA1
769398d8d1cd138aaebb86a2583655fbfc13c56f

SHA256
e393e7b2282da6dfe9eafc6d658e820f92e9f600dc98af344c2e560c638af585

SHA512
4a7648ab8b00c55a8638cd6a2cd2e664491ddc198726e963d4ea42a56b8c2d990c31db5c61397711ff4eeb857ad6884072c4efa38a62aeb6c79ecffc7bf36cf2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
750a6746f802efdd259546b0a2d41d14

SHA1
cce4c2f04dfadbae538d8292efc656c2b750295b

SHA256
a77158188e6bc14bb6969838bfa338438313daaf64b15ae920a7bf3e71db99ba

SHA512
de85b7f8f2080f97e1ad5b69c76a9e13d401073260c2e9f974b3cb6190554f7f4ed8320cf6c981b80a7cb3b20cbee78255133a9c74ea81b473f248fb801d5b65

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e7cfd96999360e60725ab311e63309e1

SHA1
cb0ff13e3bfca5dee3af2a2831576b25f57f3b9b

SHA256
bb446077400a7da3a013f3cba4891e40f8f4977f9fcee32d86f0615981f971f5

SHA512
6bc50e58e7198e712b80f1e70cfdfc2f2338902692ffe74071618837ddca6193175d8c4bdca93f79251b60303356de231ed13cbc9f597edc42a310d62712142d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
03156983586bc0ccbae03cc9d0f8c2f7

SHA1
4cf860ac8ccf5ebc6328c9a9b4cdb0e26b3b97e6

SHA256
93f4a10c072f9ff6defcceab9fffef397b1c954714917ddf5982bed11d045bc7

SHA512
d449b2971d6acd41cd68d88ad8c34b2e782b922ceaededa2398a5623f75a7863287f66e8d68bc0a362ac7e83fdf109259c8f51b73b19a55f8466fbff8d14dabc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c69ef6a3e893f3e2c6b3037502930130

SHA1
5cfc7a24b06debc4f0d1ac3c15432574875a1b6b

SHA256
9ae3588fb0d6d3091a81f9c7ea86a8dc78173ceecff518fc1697a902562f5a5a

SHA512
7bfc791ddbf93399280d1e93fec4c78d1c14a97f8a664b726019bb0a33906fc467751265056e1c4dcb1afaf51f5bdd06ffc58812ef12796178249fa3c489abe8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
966890744402cf1fac0b4a3d6a7d28b7

SHA1
bef0b1effb8368b677798357d248a3433bdc83b3

SHA256
0f0692d666b7235f51af5700600f848f4511b118f8bdb217870951b2a16c16af

SHA512
8702caf948d385c9c23525fb422e8dcc03a97e317f8c67c5513815be3f5d34231ede4f4cb8125b681ea0eb1b848997c46856b896126e86aeafc7c9f3075a9174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
fcc0b949cb48cdf53e27444aea54b92d

SHA1
662d7c1d5f30a0958cf8a7c9c2cf54a7098822f4

SHA256
7efd1a1feafd6d5f9a59b59d5922458e1096a74857b47f309e728bc2aa2b0186

SHA512
d76497607af16c0a81af399f8e871e0358996191099f5013cfd703c8d92ff21c990101bb98566d4a5680d14c581d191288cf6c86aab60224e322d2b3715b61bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a428312d910876ec38a6cfc913e5ae99

SHA1
a262fb646ccbd4cf93875e04d26fac6ce39a2bbb

SHA256
8773a2bc15f5a6aa544af4c4ed6e482b314fd64946f8f06a8196c2421e8b1589

SHA512
ed254d53b350e430644bdbc50bd809bb1256666343bd2744581b5ee5ff87e68eeb6ff42f7b7f7fc5266d56fa9d276d4fc7458907f8f70844ae8027c069febc76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
67bf21a01835fe3adf456dc430592897

SHA1
740a63d44ae9cf4b7229e96d3a7404dbcdf9f11e

SHA256
68e9fb9b9e0820e61666466562bd8dbdbccf2b05e1d694a83448c3d4949013ed

SHA512
f6afee655e4a9f697388464d498d6169d0a31ff1a65c4cb12bdb9f4efe0cf7afd28dbdfca26188527385706f5b7a7abe6cd562886328aa60e88f11215a70e0e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
7a094e5c5861c0058dd69cdada3d868e

SHA1
6f24b4fb2e9941f7ab94a953aa9e1fa5ad49ff78

SHA256
2680ffe33dfe990a2a519f66243630b43bec862cd88b856860356ddc2ac50d71

SHA512
7d24a4ed4b121fd36e4c44e8f4b12cbf8edf5c3e69fb8850a3c7da2a475302b7300b8919f6b3d406190599a666f7e5998aaf3966396304a259f1937e8bbbf9b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
7157b4f50ec11319547ab4b4b35e7afc

SHA1
51262662634a1bac0d4200b496d83756cd363d68

SHA256
92c7d6203e76cf2cb47e21b5e238129fd7a3966c9897dc7c3e637367ef4ae71e

SHA512
6693489f72bcf4be15d1f6cbe38ced1ff813d40490909e06da8a41a8a3725049d6f3de2284d6f803988a15504d803e835aa548a92052a5ba38cb4c0cb6cb9ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
a7f80b65749a0d4b993d33dc19e25eff

SHA1
bc333a309c9343194bf98d1711e93ba7941af3c2

SHA256
fdc5c94443b0b1ae3e3b4b4ab31b65c7ac6da54631f2c5cd10be12c3aa944cb0

SHA512
143e7c4872984e794148785acfa68273cd079591a5a17e300c48a5fc2b3c980f7b031f1bc4d8494c0df27593374b1027f27fad34a868c2d95a05338f8d097d13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
24e42eef565cd980e69efb1fdc826667

SHA1
4c0d2b2bb4a30612b443cd15a1681868a657aed9

SHA256
be2e41ce49df496b9ea788747e6ae4550b6f83596f53595e82d5e50fbe856b73

SHA512
4507d794be87442c9da964c197fb32152aaf5106421319fada1a328a9d526fbe761d4e1eac7157ee809fcf2789fc54edea9ad67738e0bec4f5bc7ec2f215b78f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
03f5c91625f45ef4a28ba43f49082b59

SHA1
fa2955dbf93971886c2c6c99cf6215472ad7bb93

SHA256
d7cec98d9384b4a7257c4cd769f3ad8248e7e03e4b2ae39b7313d51dc2e0e3db

SHA512
d1026e24c10d250c31edd52921237899a479e95a1b662e7d84895eeb4308379322783de49c74cbdbdffd9739410eb493e7f3bb8c756873b500c546dd54f5e771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
4a4122ccc3d92e062e1a62b746b6599b

SHA1
3122e63e80014e79253274f1d7d3ad77698a2a84

SHA256
85808f13e80d10cb2acd94cd2daae602c27fd07f66a35d9572ed718ba10f1140

SHA512
8bc74a50c50c36d75cca098f4bf62fa559870e4158b3f51fa0a362a51136e9484d4b9bcf39b3b26f9527768a1a80d118def086aa691bafa14cf94c9f5df37d41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
58f1e2ae8cff51fd41e2613e186c08eb

SHA1
9f3daeb471692b85c0ecd841f2612a8bf28afa00

SHA256
bf205e2a4344884dde46291107c595506c34fc2074fcaa5adce84703048c3b2e

SHA512
8c1464037e5ee68cd0eb13b5bbc71ac78dcb62480adf05efd1cb491112fc57eaed99f8dd56b1abb0e584fe9fa3a4e83d6d7fc03bdf3a0fdd0ef4a2184f3b7e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9b103b4e0c070913d27a35b7c70bdb8b

SHA1
f4dda0b25c0b8887a358b51ed19b8e1e213b7573

SHA256
97c59725eb67605e4be754170d3af4e5ac1177f89f70bc311982d1da921b5cf4

SHA512
73929ef37e40bcdb07049e05f65bdccfc2002dc3cccef5da5132a251df04761add75c9d730bd9c636e5148b4b86251b3f4d2d8acf09a0bf7492e6b04b0f991ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5e2f2ce01ec7d4511e90f4815d53c623

SHA1
3bad6e1757554962b38012d1c40a28832957973d

SHA256
23329be8401a47d8b9ccf75eb0c823067d7ce87c6803bf0794a565db1f3ba8d1

SHA512
5ef511d779b7e1374d0bd5b9dfadfd84743786b604c769155085b111e70f86a8fc58115ab5236206dc894db9242e729203efeb5b69faae5a9333cfc057eb1d07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d6ae33013cac06a7c3ea59c0ac7a4c03

SHA1
9224f7c5592b3679728ad612ed83823c8cdad0a6

SHA256
cf6844e5f98b6b04c9bbfb5d98d4109db91028bdb3cfb09de6afcd2f118e49d6

SHA512
2c48bd5d95acded5510ce793b28b596b7a7fe5147714e582f9f1a220c36d1d1fa8ef7093b547debda2552272f53af227815a3edddd76c6db6214201e5c4f4b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
8f938bb56bfb5b0132e83c69a2e7c5a8

SHA1
a9c453fea01d6dbe76e8b817491822378040b2c1

SHA256
123a57a0045d90e6079602367bfa2824b8fecdf854315c31f76609ee9a0c4a05

SHA512
6bbe9d004b2d20ec0c7c175a2351969c035ac5646e76931be4ffb3ec6b5d18590d72c944f14f275b1698ebdd6048e533180b86d6f771fede0dfafa8df61a0a52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
3fdac8bc23d9d7c464ce97709c20068e

SHA1
f1d0c2348e4a18c5d6cdade04bd04be734f0f287

SHA256
47624647d35a3d6880b16369162dc098928f1de542a75fb00ee67d9842ec6d90

SHA512
3caf2ce93ef12fcd9ac4e03b4758fdd97e8f52efd4c8c05b3ec57d89f91822312ab268ca8d4ffe4e4f2f3f039ce953011eaf81c561cfbe40d486e92a7ad32eef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
65f9f30a9c8528ededab63ecd76e878f

SHA1
29fe3ac4d77bd2095b6a6680bd15d4932af23d06

SHA256
bee7cf2b06c491d77eb03d3b934285d56242a5182d7fca3dc9680043e786b219

SHA512
c1d206f94c2b12468a8ec53adf053c360e6241a57f95b29b0327d416caf67aab00b3f1be7e6d28e52af25c194925bdf99e5a8e9711d4fa2e2b1c0f710fe4c9fc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e1ce5ad94c3a861619080e9ae43747f9

SHA1
c6abd5ef67902e81e55fb9a80d51b2a071eeda74

SHA256
60129cccd74c9544f5fc3cdccfee227725147ba97c402785f7761d7603ae9cd8

SHA512
85a2562664a094fa7f20467128ed6a2249b7c528f3f49be74db38e166bbbc9c39f19544cfb4e4cbef5f764157c24513784650c0d9a443aa42ee1d9dd8660e113

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ce6e1e75a806f380ea47f7cab4a1405b

SHA1
0ceafce99ecec3ae14735175a1211f230e4a2439

SHA256
ea30f15b3b4de830d926428e718893087336fda6d383fab7907f415a4626f641

SHA512
5209b207be63f63bb3b0baec119af7b47fada8962bdce15e59463a6f31489f02fc18700684df4a0e496923378e91123fe765425c4ffdd32bcbaba96e5a7b2765

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7c1c10671536087a2dd77c236c0ee3bf

SHA1
1b477f98c85953f8028d4908ab1f4ad19eb17c91

SHA256
f55393caaaff68c6e3a3a66c0f65fd092cde1408dcde5926ad825b5d4df1186e

SHA512
4e79bf0343a8abeac491e9dcb6ecf6ddea56779b1c1a26570a59295b10c7b65423baa14e404d8a41b7805fab11cbc4f53362f6529534323badc7dc65c39bb740

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1b9055f2d2da15036f2c9e975d53e592

SHA1
1b25051eee3e0134a0073af391324c441dae8f03

SHA256
6473fa53cc298b8f71cffa5bbe409ea7061c4186cc2893c3d7bad6370f395320

SHA512
9386e63e6307c98d6ecc2919b47e5f6702d93d5d7446fde7a755ec541ecb8644f2630fa59ce3c76f53bf20edbb229af02fb2829e3e3db03b0588456b2a3d37f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
72f970b6eb8d7dfdc49475b32fa1ad4d

SHA1
bc65c159eb0f4c52f9f1b472fc061833a8d870d4

SHA256
ac74f018ac613e1bc434510885c2a1c120d2df84dcccac631965c20b7d9a769d

SHA512
1f3cd306b358695e59a6a9bcf390b5a40e5b0c69324250695319f2ca406e1ac015b40f0c47eab055831c0d475e32947a4e0d7d425d8f112495b69598eb422a3f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f95810ce1a948fa0441d9b7f6f8dbc1e

SHA1
5a816584a99522b59bc7925b1c55bbd5b3cab336

SHA256
dca6ddbc59ccbd339fe3e820029c5dbbcefaaeb094f373a05a21e3008e9637d9

SHA512
53a17cff585dcc8bbb6e1c5a4ad86dd83e2297590e2fccd5b9c97611abcd3ce33decaa09fd886a6003afc7d34ae8aa40c136086963cc93f86d930fc23006827b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
42ab11ed6ae11481df31cd0649cd7f10

SHA1
b3da22bea2774cc6b9c0a7f2e7d15c1d9f2b09a0

SHA256
d19a0a7f0a83f6765a049323057a8ae5ab6d52c606b19ad499aa7f8ce802ba99

SHA512
7b7372cadd67e72192bdcdece6cd60160fa3f17696f117356dc6ec81b57bf461ac6f58a417e68826a962b16cecf29046a7fe84849bcfb95d9795c280691f4342

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
a04095fe44486e1dffabbb60a0e41bd9

SHA1
b12c6fd9d4635ecf979ccfff01c7c383ad8cea81

SHA256
646a26c88af4463761e7c34e664c81226da976ab98d2034d1ea96ebc6ecbe1ca

SHA512
d5ad6bf3733b81c7ef9b9a7c377c698b92c4936bc776b05551360131dbe209cb447a4737d211b24a024691d6a135055a8a762c36440be31ced0a2f7a806e7a28

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b2705eb33f733bcddfb253de4d20c891

SHA1
fb65bb0c445ef574a7710d5fa7b92892fabd5fcf

SHA256
d8f41f681e3a6a9e025991f6fe7b19554f649ce8901109459ab5e751f8b4f3b5

SHA512
af0c5274235a80d239d722a191f63260118cf9517afd89b0564baa5bcf94d85fa068244e0eeb53223d16904c7ed0ab94237cb98135b8d9ea7ebd7414120c3bc2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9a06aba2d8cedc3a4219159d2a7f669b

SHA1
8506d94e6c26587446ef99e934bd724e8a935cf1

SHA256
b86e5717336dff7697f294269c16b047df2686fa09b3cfff063eabc87837e708

SHA512
e6dd27c5681b51e1d4ed0510392b8137b04f14ff70c8f76e5172ecd6abb243b7cf6b671fc2b7b0569492f6a6541823719704e0321a2f44324d9138f1f8c31548

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c0b63fa429661c91528b25cdd8093277

SHA1
32cc958dc0344499f1a41ffdeb0606e07ece199a

SHA256
6e9c3e2e19c5d93f9426f707411bc452463576526efa5515aa2031889898867e

SHA512
74a8c00cff2ac175163d019aa23802893677556536dcf74ecd5342e65553c61c4871e6f39b6c38c9cbe14431052742c14cacbbf8b0e419f7c87af1a927ad77a8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
220324c952c3a7c1c927dd9383cb130f

SHA1
a30867f590f6e776f272e363350c06e0ad24d2a8

SHA256
4cd35ae3a4bc67787a6afb3d861ea8b8bdf9e578774e7a77331446a6bcd1e206

SHA512
156084b9e4734384cbfaf092d5a59d0258f2c6e874c6268568173503791dd3982385bbe5099751320d35ef36e01f16614f6f873037e6ad77d2e1a8f27ac8c270

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ddd503a870637cfa230e4fd478c80144

SHA1
957c6fa10e2b6e3ecde7e2d939ed8a95db7e8f65

SHA256
79d705f084b57500aac2440beaba06448ca6931b9d4c8fb7fbe4b643efa14fa8

SHA512
613e7a955ab2566f999e63906bbd79d073d2328d33e58b7fc87fbaab1d8d0cabdbe7715d53cd538ceb9f18e15a7ac6762e7fb640a59691156eab2811b7c85145

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fea554eccab83738fe7000e72b096db1

SHA1
72bf59177071951d45ab7e06f63d940f6f315b2c

SHA256
2a67959590717d6e3e5ffdb7dd659d586e4cae474549a2798baea939f0b1c49b

SHA512
30a676cfbf271f9a62d6663e262e84623e30e6babcf677f4737ac79e475fc9fae5bc2ab336553eb88b4d89d8e9596f599f5ca58d06623e5e3858eb3c01cdb559

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
4d9a9233cb5d9bcab90327ee69fe4dd3

SHA1
48beb72547acdd8ea93585aa1e3c3ef0d22c188c

SHA256
02984d44a7a5765ac666f37357987beebc726f414da17cdc301af6d383f7ff54

SHA512
0e499fef2763b96e4dbfd6f8d7af45b1622eb41b59de7011bd0d433814b50fad53103dd21ea2656135685bfb9e5c28e9520aeb074992a15bcc8fe6f7b94e97c6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
460337e7c5a39b73fa7491266de3464c

SHA1
5d0f73aa7dcf04b19b52ac4a4799ae3aa552d01d

SHA256
120649d1363bd267e7034479b9f03017ac0c984b006c5e187fca4c52e396138f

SHA512
a6213dfef28a9d2a75544c421f69889b2e9fc2e00498b46e82ccb97b690e1cd8936ffac8e159711e2d2ebbd5d22255aa12ea5aa0aef4a048e22b76d8d309f5b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c499018a3d0e047413e66ddeebd23345

SHA1
d3c6ca5189d261ae55521a9419c5b4364b118db5

SHA256
8d8754235aeef0790b682d8e81702a7874ab5203c5e273344a4bb37d33dbb7ad

SHA512
c33771aab2fb31c43cf3a8bc312069342895c8873ef7d55ce660b21247c31c52a50b0997fdb9f339a1a2f28cd668e7f20d5165a7aba5e3f20a2365e2a17d9992

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b9929a8b94c0d65b43c2202f5eb6dd1

SHA1
68b47bef532ac2c3845d928269a5ae4a17654d8c

SHA256
73c9e941d1b28ef9a91ff854ea9ab8a51aa65b4b3d204cc4473be666a0c9f285

SHA512
aa216e4899f816b793881d5c416acf6c277159776aa28fa0ad973f6f64348f745ab4732537c2e642d509c8e36e2a7be2eba014843ae934dad0cd8334f42aaacd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a1d5f2b0e35faa96e28a32ae55b9f531

SHA1
efaa67e74fa198ab48fb470f7ff505f61b2b2cff

SHA256
47b1c3fe08a7b9caa407b67c72ba6da3f3267fc954954ca87366a11529e3776b

SHA512
b6390af1bdf020e2e26a1d0d4c03dd1cee2f8c8c93f292aeb7810abd4b10c1ca507e91563ddf7ccd9b855ab9531d2b43d9228d6d8a79ebc37ee8c6298631a7d8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6de837e2ddfc48ccc6101dc2918f19ff

SHA1
d7edd58e2fa9eee423b0454132775215850cb6e3

SHA256
fba9fde7ff2ad78f787728c30ef41aefbb0fcd1c8f8e55e5b881935555fddaba

SHA512
d47e46c09a1bdd8be50ba7ca595edf56e1619e3aacc92a47d66fe7cb96a4422eb8ec2a34a62520e6eca2b707a9a1ebba7be5166bd31a450b02656ee9e3775598

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a780371ab817175901f725c345b6081

SHA1
b76dd2fe04b7d9f6bf8550e286974779760d137d

SHA256
54405cfc045ea7370fec974ff1fc4b8033aea4f444d4851822609207b9eaf185

SHA512
5432642d75864cebe25ceb6ecc0f67f2c77c071a3bdd924ee02470cb349a90ac554c5d8ba1d184d5f86a95bc1b59bf78119769d4037dba646892c5a514c87541

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
28707b9b1a5e0e883f2ae22d532156c1

SHA1
0a52bffb2f11432d740a6351123832136cde3723

SHA256
2e0ed09dce673896d9878d7d7277cd8f0781b6a2a732600f3a2f846672babdc9

SHA512
225c9e21f3696286bd4430c5834af914ddbbbf25ca1ae55d5263b92faea67939ce5b4a84e58bc10f7536cbf58276a22be4f6f26acd0d3df8ff4e83bb99b1357d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4d0aec60f332daba1b39e39276134111

SHA1
cb8cb9394d5b531c2496ee97b394eae3926a8657

SHA256
dc86e54b2b0d6125d0dc5558bc5cedf251a858aa599f7f1ad25fa4be35b7b6d0

SHA512
6a6dfcfbb56cf566238c4a8d9a1ec9bbba4228ebd1e48ef660e9f77ea1f43622b1a04c53cb8da177c3f4e369f27e5b1e57eba262949b278174dceb060681ca46

Download Submit
memory/220-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/220-527-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/632-179-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/632-281-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1028-460-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1028-199-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1632-225-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1632-107-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1740-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1740-118-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1740-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1740-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1752-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1752-534-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1868-261-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1868-140-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2108-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2108-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2108-106-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2108-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2376-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2376-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-217-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2404-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2404-92-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/2688-270-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2688-535-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3212-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3212-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3212-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3212-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-536-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3232-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3296-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3296-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3296-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3296-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3592-127-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3592-245-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3620-87-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3620-76-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3620-82-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3620-89-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3620-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3752-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3752-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3752-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3752-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3752-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4384-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-533-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4432-2-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/4432-8-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/4432-75-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4432-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4584-383-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4692-130-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4692-249-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4972-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4972-509-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5112-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5112-435-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download