b0d17edc3ada35fccb5d778f78cb407ed24a6f33edb885d2e01b443872bf5d3a

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Size

1.4MB
MD5

dd4511508e6ca42fddda6d29e99df774
SHA1

f4accfe8177c9c597022e3b8f7daffca58d12a00
SHA256

b0d17edc3ada35fccb5d778f78cb407ed24a6f33edb885d2e01b443872bf5d3a
SHA512

5c765a40d2096e1ab4397ca4942ef15c938c6ca16e763c5ecf26222a6f637b7e4e436afe6596276c496fd5edcd87fa1affefb4ed7532ce5feb6d859e4761a2ed
SSDEEP

24576:p6B1RVldlnXfH9gPwCn7vOb7HHcp/CGXQp:8B1RVlbnXf9gPTTW7H1GXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2664	alg.exe
2884	DiagnosticsHub.StandardCollector.Service.exe
2272	fxssvc.exe
5060	elevation_service.exe
2232	elevation_service.exe
456	maintenanceservice.exe
4016	msdtc.exe
3772	OSE.EXE
1396	PerceptionSimulationService.exe
3016	perfhost.exe
2412	locator.exe
1836	SensorDataService.exe
1816	snmptrap.exe
4616	spectrum.exe
3952	ssh-agent.exe
1348	TieringEngineService.exe
1716	AgentService.exe
4192	vds.exe
2888	vssvc.exe
1712	wbengine.exe
4772	WmiApSrv.exe
4516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\69b57ec085ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a592ec122e9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d542f132e9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64927142e9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079702e142e9cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcf594142e9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034d411142e9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeAuditPrivilege	2272	fxssvc.exe
Token: SeRestorePrivilege	1348	TieringEngineService.exe
Token: SeManageVolumePrivilege	1348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1716	AgentService.exe
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe
Token: SeBackupPrivilege	1712	wbengine.exe
Token: SeRestorePrivilege	1712	wbengine.exe
Token: SeSecurityPrivilege	1712	wbengine.exe
Token: 33	4516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeDebugPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeDebugPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeDebugPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeDebugPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeDebugPrivilege	3976	2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
Token: SeDebugPrivilege	2664	alg.exe
Token: SeDebugPrivilege	2664	alg.exe
Token: SeDebugPrivilege	2664	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 888	4516	SearchIndexer.exe	115
PID 4516 wrote to memory of 888	4516	SearchIndexer.exe	115
PID 4516 wrote to memory of 4060	4516	SearchIndexer.exe	116
PID 4516 wrote to memory of 4060	4516	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_dd4511508e6ca42fddda6d29e99df774_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b65722518d95e456f90630b824c720dd

SHA1
064af97b601b32976697081445d2424a00739e9a

SHA256
b0178538ac07b008274d1ae721640132579ed68f37e5c192a964ff1a7c935b56

SHA512
ce463fb3e98457cc1a13a21facc7ab63d01f27fdd44586b386087f8277b0d8015fb5684649a2e576d59c7fc5341d15bb5f4b2d27526996f4041bf3f3a1d1de0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
cedcc504817c155dacb4a546d80edc2e

SHA1
a6844c74e7b6ff250f5ab17a008bd6c6d8775553

SHA256
c9fcb57ecd9f80b22e066ae774c2faadbc62f3a713c2271b3da0f7f6a81e8898

SHA512
6c42a2cdcd1a7bcc145cbca7ab4aef30e8a6c97f025f931c3a0b53ce9823074f4ae2cd55ad1ef335ddd0b8c743fd2b8b1d7df902fa73bac6b1d4132148bd2a31

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
30827c070ae9f7c635c52cd970cb11cc

SHA1
3134b6763db2f1b432da4c2c2faba224158ad7aa

SHA256
ca5b8d4957296cb2522bae631af160640ebd8c9f03c22e87504f530e35104341

SHA512
13dae23ae4bd18664a26dde5c8b3937147985c6b4b5f6c476668f3339c8b205d38f5ca0a5d02a8964f27e46723c19a3b34e1eff1cbd5aa304a59071981db0270

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
901f02c4768cafafdceb64f5ffbde8cf

SHA1
3139e2f3107959af578927f8aad74f8f21d9dce2

SHA256
5a7b50af8b6e644976ee5ee2cd35fedae9af7e9a2d0820970443733a0de8e440

SHA512
528ca4c438cfb807d6a7919f61eab9fa4667d5205408393dacd58572ed139605407bd19f9991f429703f702bfc9568f1d35a50521b37e36336d4f8fb3f02d145

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f4a3da78f3c44eb0664954c6a65bf3f5

SHA1
791625658a2dbd88a13b0d19e11285ec2f271b13

SHA256
eb8d7c8be79e2f7bf084a95007b148faed90c6df874a714600161bbb8c780f43

SHA512
a619062d4d090963df43b47fd1228cd926670e3e3fea92d7ddbee9b3d0a82e993a0d72d7485f2306b0e49dbdb25d9627f1aade253c7aadcc2e4d55b85f06d60d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
8f742c0d02bc6d7e56e397ef1c16adf3

SHA1
abe7af873e12ae9a0788211cae18612758228e52

SHA256
8bf9e07939346142a90be7d0df9177136cd8621ff6fb3de99d6fcba0c048b594

SHA512
8097a577f0f8f64b1bbfba10152ee1aee9e98f342a01c246634f28146c6cc83edb4f6d5f65176c65aa7028f998f74290f4a40b4b25053d7d24ecd48cb0b86f22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
10e18146762823cb2c9969f6d183482b

SHA1
e40afef43d06d07fdb0039e286b8f4b9eac762bf

SHA256
6cdbf083fcd5d7441165d247fb8f32c4e950048677640b5aee226891e3a3386b

SHA512
7eb53cf43125e10f173d9d6f60a2e607ecc9f1d651cc640280db88bd53588d7d826e4d0d985422c89a61c38c2185a5ecebc10400cb35da335c2464805c59c71a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4fd569a27ed7d47b30aadaa39b4094e

SHA1
9824dbe6d41ff7678944b2a8c974b29e52b58960

SHA256
735cf7ef8c7e0af5cfe80d7b3ca81d10be6c9526ef2ea499ed6afe7582a1d6ca

SHA512
130ea7a770510ee388739a82b2089577dd45a75640bdf9503b6057d553493de2896c9de10f29d073542a2f2cc3fbb62f3b0fe2b60fe72a342875264500cfbeb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
0b665d41b985abad78a3bca74b549e63

SHA1
0ff79527b1b46cb367669488d8d683709a95c265

SHA256
8d0424c8e802efaaf2a1a3e590f7c7f896b794facc8231ec2d43bb7842c7d8be

SHA512
20127fcbff003096d83f59ad3a9d558973a6efba3ee22031428e9a2029c69d8e164898240967fc46a775ca992fecab5214d096023a7d6fed5bc8b97453c2ef81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1ee4a283a63e3901ed57e7b27c5fe79

SHA1
47b00130ef8303d51ce79d776c71e3b88bf8819b

SHA256
9e9a432b86ae3142a5794e78eca6dab6430b96ee90c7516837077d54c4c5639e

SHA512
57302e5f6f0644b42f91bf4de919035e40afb5ef8279023ad15289573a6910f3eb42120b9680b9c5928812425c53a948bf0ab864908b2bfc4d4945f5ef1197b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7a247116be1fc55a9cfc87eb8dee09f1

SHA1
fdba6fa6e26aee6b917886aedcecab257742fd75

SHA256
94cf12167468894b501a63a17c36071f5a54f91e9c4f16258c26c155baee35f2

SHA512
ecd3140f7d19318438691b216745b7e8d2200148979acf3be954439025f1759903681cf115f81431e9534267267d2dba4103c1e5e96a1e92bdfa91e4ec15e170

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3e62327603b45847a1718c492aacb22c

SHA1
d569a948b12f9c55318002298039f760234fc747

SHA256
e23d944c12d384f7b1383f474c6e9d23d46824b1e5595ae8d6ad59f7d5b0a997

SHA512
beab8942c505228752283000606762ed5be6e078322f420802088bf87e7a9cfd531a3f5b8dd6e7662e7758ae367dd895819b0ecfb2703c868788866467628dba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
71082d8d2b5f195863661b9306bdadf0

SHA1
75c2a4fad303b780e4f88aea42383aefe74581ef

SHA256
2da19876b590b30a448f8397468940ef7b4123301a0e0f6e42c03522ff4ab40d

SHA512
b81ecd23b0da4a56d343753486959c42fed42414fc65857d81f4e505914929974bd4d81e1e7f6da53e5db4a437846046c30ee9af2ea02cb3adfc06416cbf599f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8761f2750deb4a93e6e0e024343c1f83

SHA1
0b031ad4c6bd88a2d65d92e70c362211aef9e3fb

SHA256
a579e538e2c8632ea391a36d408a8f64239818b93f6b2c95fcd1c7187a7889e4

SHA512
35c94cccd51bf661462d70782c01e2155ce5e9674a444b0387fee1dfdd90d98141b9974e2378f79a9e74534b69af3f6e272d27f59dc3b0197b5bc34d2117e383

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1b23b0962d02eb23c860e9e8aad96842

SHA1
dce3c854431ab157d66f5891742b1a00d851d27d

SHA256
25a9b72fd65e77679627b48ae8c3c5cb6070923c7cd046976a56378dd94d7cd6

SHA512
c69c91735b298c09cc39dbbc104234e2e946e32f1ea51c0c0f349290959ca6416801232b17bf652950b8722fd69cd5de908efd795a7762ccfe72baa9237c2806

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
fd6c6f4eede1c32a88ae824db17ea67e

SHA1
dd61d2e07d25b4418575a14861f97943c5ebf9c8

SHA256
9cf70bae8daca752c0b11d3cd9805b35fe3f36c055231772afbc0b7c9a46556b

SHA512
c2d6dde38934c3344d430e60e8ec5198a07c189c8be25c162c873421a7aaadeb20fe7ee5c1d437e801ea11c5b65fd98621631f9de7b32d3facaa61c381687475

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3dcd84e20ea5b0a70b3b1e18b3bd0815

SHA1
cf40e462d55715250f47d4f70eea1408dc1d3b38

SHA256
77a1f9c8cad4c5d5cdc8565e02fe0e741a578fab53bcab826ed696981396a475

SHA512
a19882ff5348ce1517e8f8d6ec2c94eea0a2e2348e81bb27a6af8f943c3fdee0ab3ab8d8900ce985e6f20c9ef78790508429a134b6f0f814c53fc5e42e0b18c9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0f2e4c52473640990b4e82a046d8e9f9

SHA1
40dc75e61e53b17bf50e63b1823f202674cb04c5

SHA256
bf8757944b9fecdf620c6255eae1b4934ee4a1a36daf2d133e5acf4d9eed2011

SHA512
d16d034728035df37a4091dab3862d89dd254e400237dfdc191bec4a69975df4e00c9ac0a59af75a8c1ae13a7f442fdaceffc081fa3fba6f3369ca1bcfce23ea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
3791803dd90edbf4701482c92d7ba8d0

SHA1
2a0b4b63f16aa432d9e66c854ef871dc42862d85

SHA256
8a40d790bb8c5dba3f1d192e827acafc778eedea6479ef90e19c6a2baa67a2b3

SHA512
37a73cc9fdc1a33cfa830fba678e2778dddeefde71c6a1546b0c78ccd92a6015ba3cc70d62ca954939e3ae69468689d74cf368bff988fe5e6155e3ccb70d05f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1e64eb2caddbc2c5c3d9cf008438fd64

SHA1
ac752cd1cf50844c02c3bc53c5c5771e141923d5

SHA256
c4c4614385857175ff853151554a81763ef0106aebf135ff2b86b5c1c0dc8946

SHA512
22566281aa2d13e1a4172e5c8795fd483e61c159d02ad05f144c15541a5711e927c0168bc774f0163b6fefbe1d86fed4fa698a4f596d8a73f77881241fb3e42f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
a02f7a9938c853fd235bf6a0b7433a45

SHA1
59020b3f32a10a9dc37f13a2d6863ae27c562a44

SHA256
b169c3afa5c6bc31acc8d874531fc4dc2f2db4e60cb57bbe8edcc615655d6726

SHA512
53197f21e884322ccfb4c58742f0c5dd5ad56d1a5849de6897c4897227cf99f3939003bd3cc7a039224bc9295fd24f8b5bab1ddfb82865c58a2c78d8f0f1c37b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
8135f35c9e80ca86715c2ba2f0cb25f7

SHA1
00502d0b45b0ac768c9f3fb0f6b1190ab70cf847

SHA256
be452eef51e08323b2a10f2e34a3ca31fa029952e2bbbe0c3c08a385641c7e3c

SHA512
f3de142e4398cd066d733c973cdcd3558d93be40c3d6a8c9b3b44e8e4056f5edbe6d6d50ad341e460d95d8a4164f474d9f7a033ef95590c01c36c7f0454975bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
185c336088e04d6084951322ba0395d3

SHA1
a8e29849e675b7646c5b61721847c9deccff365c

SHA256
7509f10eb7a54b59f5b192fa81fc1652db1bbe1e0c994b5ac29257ee5a6e7aaa

SHA512
c9b61a0938296255eac2a4fedda3f3b09e20cf28188215749bddda8923c484b88f0f1f4d5c2e220055f014c16837d38e106cc3f50023b35b0d0aebaf10f37d7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
0dfe52b6174fb829ec32bf1edc68dfb7

SHA1
85f02006bcf990eb9dbf484c458fa04fd28f3392

SHA256
4b8cdb0d1a095746207b7dbf27bf6e09235d8f243924d7fd09a2e12ebd1ff02d

SHA512
5fb9c05d31fcfc41a4d9799b0ddd703931970bceb88097f7a1df3d57fa7ef897a4b6bb1d26fd35376513e3b3b5622a6a727cf840358c0aacc76a001d3a7b92e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
4c88fcf9c344f92c7cf854651dd55e8f

SHA1
8958ba8868bb5f84365bb79c081f8050f9d0d958

SHA256
eda80f960af26b954221bd1d5f4540a1b5a6c6c2bbec833af3a05b5221c91817

SHA512
56edf36895cb367d2183f8c78ad74fa192cd106d3dd9b45775098c6dbd1dea19f17c38d18d62079cfef48c52098522557d5794d64d058d5cc92684d84d04a636

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
c95f024725d759e8feece528ef393dff

SHA1
75125000a52b045f964e1292f3fff0ba5ad94e2c

SHA256
7e1bd8dd5976ffb0fbac856fd021c7c6b9b4826131bde4a1e554a1a9a9b847ac

SHA512
aa53927533c842808751e6e6230f7a7a5d7d45e0ebd98da62a06c258c73a5746a3f712accd9917745255a3b7f71fd61bfe5011b30d3a17aaddff64381d71c091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
8194b8ce78c6b9cb34d566c1def56c8b

SHA1
5fa30a50921c14245c584109a2d9ed3456c86235

SHA256
b6376326c5563c0f0f5989efd1f97dd21fa7a8d366b773609a3e149f7077cd65

SHA512
19739079d329bfd9ef0e03bb740bbe27d7fac7ea29ea89ecd84d3827694e197935c2013905d3e4795ba790948cb3fdb53c1cc3be588cecd855ed3370efb94e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
4a15d82b1afc5c3765f413982de8bdfb

SHA1
961eb3ee6835e95356050ba4806c211d2814711f

SHA256
5a94357a7c8c60f98c226b3bc9811df6a27d6dccf726187b820a0529c1ae07de

SHA512
5da0bc618ee22b0be2709a9cbff0946d1646b951afc17d4029f132d38ef0734c53a175793460d30fd76346c5033894f1b51a60536b843a7c965118bb82626884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
e004a431759413f5acdad5085421b8e6

SHA1
3dec762f4a8f1494624ede572a1809b8ce83bce5

SHA256
cdca25e12be9c9e8ab4bb2686a47538421607c70cd4148ba26e97ee2a511ee47

SHA512
4937544ed109af68fb2df020f616e18e9e46766aa47aab63fc10687db30d6a69310a71253d13e8db6f3102d5d4e53bf6b461bd5bee1a486d08440b71aa19ed7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
0bbf1aabacbd48d8eea874e53d25bc91

SHA1
59b8f5e55bfc6dce68ee448f0021bd64e2b86e01

SHA256
448c281292429c54ba644bad72760bbeded1fe926ad9658209c73b1a61c08a8b

SHA512
5e0bf2c86030bd131c38c4d6463873cf12af78c54443424815bdf5cc75229df85e523d2baf66620d00b9ab7534cea6e16e370954502054ac3546057fd17cc219

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
bdc3839089fd30027b0ccb1fd63a4559

SHA1
93adf560919de9d7d67d8d1730539ef6c17603ca

SHA256
976015840c1ff43648b6b17b79982ff9524fb36d652b28df2a8e6703c2859d1a

SHA512
719faba64132c2f44146c21dd35c102e822cc4f4288574c5b975b416ad044a55a170fdbfcfa89d110e0be8c4264b782d78ae3facc145582d812d5363ec012e94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
d38f290c93391631e278727d1827de7f

SHA1
f87a7f2ba2e0d51c91dc70f8594a1d0a4bef5f14

SHA256
d9314f78ee8b3eaa6d1cba224f9a3c37f7d9638524d2dd53e588bd62ddcca284

SHA512
aed9778e21018562083c52fd30a38c08549f9ff03b3101ded98809adfbcc40cd057d6fd4107b449c86a5f4baa05fe9a339cd9d1d055e403a79ad989fe0d08c59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
e5bbc947cf4b3506668abf385b5b2b59

SHA1
324f9a957908f923a9d39c2e9ca97333c84ad7fa

SHA256
d47624d0565855e842f9da52e3cb7dde1eee66f30b8da4c22efca3f1dda2ff07

SHA512
0cf8ae541a6ed65d42ed48d88b6b91b935033b654d94b1ac59e6edf31584a6737ff902e326a59e08c18ff03f11e5fecf2d2b5e89d52a88793f75760710d9341b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
0b5b6ecfa23128b447ec77bfabfbd8ea

SHA1
be28c356f9839b7b0e1c59c39fd43f36af87a408

SHA256
ec87a80244a19bb1fe8f7230479703292438240d5e06a9d8dce599eadb70f099

SHA512
09135e5a94e43de28b01f050348de63fcc3102756957eab43ed8ef2ab7a0473fffca13f6c674384ad680856b66335458468930275e6f0c901de32409341246f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
cdee940a4e75eb64218a8e4ce92acf1e

SHA1
ae721d54bd9ecff8eb5c022a362fc76f537392cb

SHA256
e0acd3ddc1aa0c329a716dd8dd7f833b1a3f8a291d6a9637abf64a3087c520f2

SHA512
b25782446e929dcd67bad23632c38f80f2d166cb6a2e09e5e91e8ec4797f32ed793a1f05ada09248e73fa90d86ca9c3e4e79b280c14a47bdca2691151ccee32f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
64cc963059cf26a3c09e71a42c852322

SHA1
a95cdcde77ed2fe5e3091c3b04c8a10965f4be6f

SHA256
430352c6adc19eaacc228d0ac0bb9fcaa9887d58bddd8dc92482dafbfadefda6

SHA512
682a92856617fb93fc5c95520a09f85f6eb5981a8dc0c3d2bc6cdeb6da229ee69af7fbba98e386dcc87284864c011e0b5a5d836d34d833d6a462980990bf47b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ea10853640c5e52900d084728abe2cbe

SHA1
c0815326c3f3655760911dfea50e41a6639f6670

SHA256
ae37c41d8b84e9998a88ef81052311c9c62ce9bfcb667b5719a6d5ffc522a9ed

SHA512
f75d946092d27e552fd4a7921bc03d2262b169aee040c6716fd276f8e006bb7fa34b51eb940df4de0ec492813d00a3c4e34e070eb254ddde037d99c2d8f4aac3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
94522336806334a74a3220a8540d66b7

SHA1
b14b45201302325ec40a724e9af254689f7ad721

SHA256
a2e3733970ecc3c3fe473c90f0f4c5f2974fd86be4f12187cf4c6f5d471e2e76

SHA512
811832a01d6b58abcc50061d75a564445b78234434595fd7945f9e9d7f7498d4ef8b8a22cd0d52d7f26ea594042d87c0c972ddc9922accbb8ca273f74d4347ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
15013ba9e7756e8d12f37f223a73fd86

SHA1
259077cc9ca5541475621d01ec23d949af602501

SHA256
249504af833517a3a9db2a5f4e50dc18421c8f96434f8e1839001129926445bd

SHA512
81ca1c94c312c21a6960e30201b19a6ffe6cccb6791d7a84e4a530c964d3dc779f762170ed74a048405f769fcc7dbdcb6cc61012d510bc190cb43f9b0ec963fc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
591f6283e4eb202b38fec23047e4dca1

SHA1
356f46d8bd1a25ef6197d38618ee693c8d6ef84a

SHA256
0b2fb9bb8e59adf20aca5dc72f5ecd151934dd20f10b43a7c9d05cd8874dbb7e

SHA512
3c727cc0a231905756a283551cfde101d960d317c9fd498b0cbe1f8c3ed625b079f414fc151bd733fbaa874673c81873d6b23bf1ea1e544f2f4e78abdd967572

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ecc316e646d17c2b3d210b71f0a484cd

SHA1
c6c2aaa29d6771c6e1dc6f71fb1a37e6fabb54ee

SHA256
25f10a24b48076295b08402f5ca9f7db2b2003d201b3d1e4d474856a7d06ec38

SHA512
522832679a13d6c39e7d3cf6d25aaa18d61d4c0a79a99ff90c3fa79cda5c550bc650f0dc9f2f055561963efb3ce7eb173975af829688fafc4025498f45f9e438

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9f4655c14d22236b3877e6cbefca265b

SHA1
6bf81a4c0351cb78bfd661c8c8fd3bfb6806b6b0

SHA256
0807e02a57b28dd0bb54aac5dac77a020d61c3677852ebc3afd6d3d3b6b854fb

SHA512
b625bd2a889bcc94885f87b9c32e88b4ac4734c8f3561c35628cf05c94336626c7f930a5c14f867a0343b789fdf24dcaa1462a175ca8e1d693129d3a56c5239d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
203c42b185debe6a5283d4bf1199d805

SHA1
1d624eb88c6b1e1c5177be6e0e7a3beaf572748f

SHA256
3c6315d5eb548cb8ddc45feb558ce3f0ab6cd52a119c1a9404d44b044f422e35

SHA512
77deb0e4f6f5d9e4fd5a414781c59c22e35f9dd4b94af7fb78ce231d9e44312f7d14ea2a3d2d4f236143b452b8b142c2d1082f036068904271b9a39667fc0d84

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f0082674d8b3fb87865a59288488ecf7

SHA1
f400b52e7f52f57b581d0b3d192efd46c7d359f4

SHA256
87407bccc743e7f60aab4da598e3a81d5c6453ae435321bb9f2f2b8aa1de50a8

SHA512
db4308b6b2c6ee4995a17e7cab9ad91829c5e3b8a0015069c40795dcd9c401c0fd29cb45f686c3a51581fbb6da464e6c0f8c359e8cbfb1eeed2b16d14e0db537

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3f23107d404df5865e1cd741804c3929

SHA1
4f699f220c9ab1ddb8ad9af0301cff1bfbf0c776

SHA256
e01197e9129da68e0a106e2cdb176af83bf3cdd58d7d98165811251590b4b8aa

SHA512
ba630aef61b1c3841d7d83e00d69dc98f2a0a32988f6a8828a4e5ce4bc50a3c2d1f62f20fc726605d0080d5056caebcd87f87bb23655e841a5b60d829385326b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2cf39d091e2e6c7a14173b416bd7a35b

SHA1
fdaf3a0eaef927600bc0a66078bb7a38a0c2f86b

SHA256
f37c12ea69eb7a124dd76af1db32ddca7ffe5def29ebf6bcef181cc650fadf28

SHA512
e44a46cd06756ba4e50e0a735e9c0ac5611c5755133cfa7141405f7397941cd00309730efae8d7654a5bbbdada4f8cc1ac79c4e0e3e3ccecc165e599072114ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07d3be5d49917967e54c1d2beba17786

SHA1
2aa324eaa0f6f1a421dbc9e349e4d1e78a9c0ffa

SHA256
5b80ad87ccc4d39c3a2e457b62db6d18ab0286b1b708fe839110c053c9c42cc5

SHA512
9101e951e330d453ae0e27a845bca855fed88f9235ac64f2e79ee3aaa0d1be2899be37949a89e380cd211052ab42efcb6b32ab00425c6b755ece72340db0fa54

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e92e331891e479864499f946af8169a5

SHA1
7df635a2fb79d4320daab6f2fffe31c596b0cb2a

SHA256
e29c9ea829ffd46cf756fd6be39965c141a652fa98ea569d4dae9f9641a0f811

SHA512
487d627bacd63ac654ddf68cfae4160b98a7e0e50d6fe338842470e7dec886ea7695820171c3314c23c02c7b4836416273e4dcecba34dabd9db340d8fbeb1497

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f1f5a5e4e480ee2ae1d2cbaff3b4f415

SHA1
b242bb1fe7c989b5f412bf3366a973f2f68f9423

SHA256
e7916e31cf38c53a8967c0a150eb02e4aba16ad98dac8742110fe56365098fdc

SHA512
beddf41e875bd314c7e11f19718479a9781bc1c5e188ae79c675ba7f849e98300093a9a01246b8f0d51507685f4202107611f0333032cfd7d2a6171772c1b627

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9ff3ca08b5537084c61793b5d2bdb9c9

SHA1
b35bdebc4d5de32e72e3fadef7bca57fbccc4ef0

SHA256
b5266cbfbd91bc6ffb94336705ea1506ec9f28860c77183ab73e77365b19ff1a

SHA512
643e474f9d33592de9ec9b33c50def882c0ccb29470942c23cb4a05784efcefda1f36ffaf192c9f612f8a211d9708170b6541338f2a46e9bd2251db76b4f84f2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5506a33e5778dac212846529b6b10abb

SHA1
b2d17069ea1a4fba621d92a79c291923e92ad0e6

SHA256
34f2184daedb3a958130aa6081a9e7266c56acf168ba5ac178efbc8de19a81ec

SHA512
079f9ce85057d89cf7287d09673bec3588683986a2c84ab6cdd4f730c8ede0f93c69493195bf672a4b3f669e1afe68b0702d6e8fa3c43ddf7e031e151f22e1e7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
70887f3b9195fbeb79b6599201e93fae

SHA1
7029c3a45c3401919ad2a2f551a26fb7610e8d42

SHA256
2737f444516766656e63da21d7255dc36a0ed3a156785103cb89bb5add6d21b0

SHA512
95b960bef2aaa582052c16f7bc8393dbe8a53a2e20b3413ba1ce2f7a92b60bf2d954cb07e9c349fd128d1d162231a36f261f582843dc26e4af3ba36295195c5e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
0990b81874f4b8192a3dc4b0e11cb7b1

SHA1
899377ad336e9c0a0c1d41ac403b416aec51001b

SHA256
d773aaa951c183fcad797a7a1fb8d98c9b78a2959815172ae522879a1a23450c

SHA512
e4dc82a5e78cf1886b169ee7b50952d4044faaa89cd59255c6a13837d94c65887c28c0d23f675c200063cab2b765e28e8fb18d418edd4a5e4814b6b5fb1482c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c5dc4434dd7eb5e25662edbd02f7e52

SHA1
1f381bf87ab0ee78317572b2d8c17051bb902fbd

SHA256
fecc5a803879fecb3a269c6ae99f610318eaf1a012bf81fda8aca353345f402b

SHA512
d49b005d046657cec3505ffa597f0139762f49a1d4ceb5ace1cc5924816357c777a54881a372d64eb1a6e11a736c1617cefc89f263bd28705a0c24a7c581d1ea

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
81e2af185037fdf47648b6479c94c1d6

SHA1
8d1a50d4c71d6d1f3423a3cb7c0735ea2bb3ea43

SHA256
ca04b01ca103aae1750bd159e3adaa41324d11c635a54e0c49406aa8ce5824d1

SHA512
9c8c997fae1690a623ac3388aab7b688f84bead45db8de4c66a0e94c0119358376311269b48d3191ce5dc5d17dfacbd6fb23f00e156991bb790ba0d15a77495f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fb0199a939f05593730b376f72d7e6f8

SHA1
b12759db1bed9003c8a55d754068bb4acbb2a8f6

SHA256
3a470dcbfc63ace38608709efafce141a7bb8330286c63f865ea53d8a8434402

SHA512
fef53a0eaccfdd2ac36a7670956ccad59e6606bf2f98640e676e436ea3ffb11e9f3335eb5343cea1c97b5c0bf8952508f3831b7881f17631d6c4a35342e380d6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
25085f18edecb578ea97354ec1af19ff

SHA1
a99eff49613eb0f9e75a4a1143d4e74d7a36eddf

SHA256
472ea2009c786b8b617e2674b5aee1aedaed476ccb51cbc7bdfa673eb5eff354

SHA512
3de83c0a9b81a5b553bd20906f0ca366dec1638aac9540cfcf451348ad406393cb0784355575bf2fd2da8b6d0c1c2a6a7ff6aa9dd7d75faa2aa11d91ef17402e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3fe8eb6aa7cc1c3aee09aff68c78f8c9

SHA1
ee2177cce87e53a8da9c3773a920166df73d9b42

SHA256
b16ca4b542b9b956216598724d66a3e387131d1f81166e8adaeed36d07d9160f

SHA512
c895f92b8a337d6bd00aedc7fabc40d72294ba4c4cc74f6b21f3dd957ee7d26b8d0336a5a688b33da7d148dc532bffa52cd57011d925f16f5abd7264c1157470

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
e6c5f8a44f2e2015af24c72246bae896

SHA1
80b040e7c4dd26f5f272cb244f06e0a8f46f6b96

SHA256
ae02f89fedc9d62ecea2bf9b8834840c1876e175be0b422b52b9b5a59c901fbb

SHA512
a77083bf4bfd8f51ae14e67625e809df1061c6c6d6a9edc2769d22a0ebf781e950b8ee2d9cc614a891c22f45c05d9ed92dce37cc6a48d30030a4a19b20823ad1

Download Submit
memory/456-88-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/456-84-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/456-73-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/456-79-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/456-86-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/1348-198-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1348-561-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1396-122-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1712-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1712-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1716-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1816-162-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1816-411-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1836-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2232-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2232-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2232-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-173-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2272-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2272-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2272-40-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2412-139-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2412-257-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2664-111-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2664-20-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2664-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2664-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2884-138-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2884-32-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2884-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2884-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2884-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2888-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2888-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3016-245-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/3016-135-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/3772-112-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3952-187-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3952-496-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3976-83-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3976-5-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3976-0-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/3976-8-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4016-90-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4016-99-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4192-563-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4192-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4516-570-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4616-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4616-454-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4772-266-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4772-569-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5060-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/5060-55-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/5060-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5060-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download