f9b6d6d849b4f6c0fd1db271e75d863457b9093fc9b82ad2487828d96b802b70

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Size

3.1MB
MD5

47e99477b14af08471333c818ab1a83e
SHA1

6e1e27448050b6bebb2e54d3eee8b020e96d299a
SHA256

f9b6d6d849b4f6c0fd1db271e75d863457b9093fc9b82ad2487828d96b802b70
SHA512

37909329ce06db9d34f64c005bc47164c718661e7187d86e851af08203f23e1d4b95db8cd5cc794e692a8f0f57fedadda34e979205255917a4a9d806b0a788a1
SSDEEP

49152:2l3GbWzcMqnnWI7GftYC5iqakWizcw+Jxp7LNiXicJFFRGNzj3:2QbWzcBnWIHIiqapiIw+l7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3628	alg.exe
1156	DiagnosticsHub.StandardCollector.Service.exe
1768	fxssvc.exe
3352	elevation_service.exe
4524	elevation_service.exe
2500	maintenanceservice.exe
2768	msdtc.exe
3400	OSE.EXE
4632	PerceptionSimulationService.exe
4996	perfhost.exe
1724	locator.exe
5024	SensorDataService.exe
2388	snmptrap.exe
1708	spectrum.exe
1876	ssh-agent.exe
1196	TieringEngineService.exe
4820	AgentService.exe
696	vds.exe
448	vssvc.exe
3112	wbengine.exe
3008	WmiApSrv.exe
4436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\295194f44a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7dd40be77a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bf072be77a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a95175be77a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7ab12bf77a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed2209bf77a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031787cbe77a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbab6cbd77a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeAuditPrivilege	1768	fxssvc.exe
Token: SeRestorePrivilege	1196	TieringEngineService.exe
Token: SeManageVolumePrivilege	1196	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4820	AgentService.exe
Token: SeBackupPrivilege	448	vssvc.exe
Token: SeRestorePrivilege	448	vssvc.exe
Token: SeAuditPrivilege	448	vssvc.exe
Token: SeBackupPrivilege	3112	wbengine.exe
Token: SeRestorePrivilege	3112	wbengine.exe
Token: SeSecurityPrivilege	3112	wbengine.exe
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeDebugPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeDebugPrivilege	3412	2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
Token: SeDebugPrivilege	3628	alg.exe
Token: SeDebugPrivilege	3628	alg.exe
Token: SeDebugPrivilege	3628	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2904	4436	SearchIndexer.exe	114
PID 4436 wrote to memory of 2904	4436	SearchIndexer.exe	114
PID 4436 wrote to memory of 4160	4436	SearchIndexer.exe	115
PID 4436 wrote to memory of 4160	4436	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_47e99477b14af08471333c818ab1a83e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1968

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1e1c37aa658e5ba15a15c88f9a46f36f

SHA1
3255476811953fb30e7aa1e404a1663b7792a2fe

SHA256
c4b9d3c3206ad60db205a22c4498a4af52f09f5522de28d7b3ed808ebf53124b

SHA512
8f1a8f6ee62c81a8139aa26b47babe60bc5a5ff419445c797096980cc686769b86dc9f59d7cca86ad39da2483d75a37d7b00a0131f0af7e30987564070945639

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
d4872cfdd6c6413ad2a57278fa1bfe80

SHA1
ed567653dc15f3b98f618a8cc9b129068ac6d5f2

SHA256
93f82f334a3ee33b1d93e528e759fc691cd28034c3a871213f261eecde551636

SHA512
6d4859c1918b3c98149646bf2e5b8b2857d9518b764c350cd3be8f3723404c65276e7650de61d9e68ddcc1635f60be16c6b2a834ac82b4e082df73d4e1b80ec4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7351abe9cf0a3a24a1f59d81171ed812

SHA1
bd69bb09a55f914775c18befc98eda3acb273261

SHA256
1107a75051c53479e3eefe840525f1e70357d019521a732e2773e1d6ccb5c7b2

SHA512
95493fa20dca54c64c3fc8e93bb0b42004852990e99384b762e9e7e112c5ff3cba7594bfbfa423ce3908d681fbcb8a9b451d9a40e4c8e9ca77fb3136153779ff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
44d8acd0ac4c8d0f8a0ca08df5cbdc57

SHA1
5d2585783ec17afdfed9670f4f0f3fbf11e5758a

SHA256
90824692ead16604a337cd23b98bff9c37524cc71340c42e4da2a71f491fe714

SHA512
4156391d6947874d735272f08a5b96341a1433dcab87ea9e9c1511b4eca76ec599b84c6cebf94aaedf4328c0be7035e835c5e868f4ff085c0a5865b5447452e0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
24bf4688812b5e8ecce8290a985357f2

SHA1
536801bef05384f008365eea8e7ad4886093d225

SHA256
353c412f69014222d4ab2da319d3917310c3b5cefde9a90446de5363e8a95c13

SHA512
7986b28b775d24d2ce31dd847d49ae6cf2da083dddb0c84a5a8eeaab86350bd3fbd23c2e5c13b6d2b7cdb0a64cf07ae60b7fb6b13705e34f551c115098b99241

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f7cf14b038002c2ef44ad904b8a82222

SHA1
46f0fe8df3e46505aaa7bc69df97eb7e89c4b302

SHA256
dc76361fde1ad056044135004c9e712575992f5f074100c9277d877e6e220e94

SHA512
66a5b5126d033a03fad70cca0404e2b1d1c5f6cca7f3ec5cf1e1c15c7b53f555cf08236143875d9ccd067f80c2b32b203ad6a42d8373833ea739f54e4fdd16af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
a9a985d8248b370af7d86b5d8808d78f

SHA1
c897d9ff93ee43352dcf33fe32b26a5023bcc743

SHA256
446ca177e9c395fba8441ae7cfcc1ad0b899cf81edcb60286d9f67724ef7b40e

SHA512
f51bac091634f8c60c03cd7b69340497c9bea56d579f63f3d72f5878b68b11e2f5f76d2ef30f68cd4b28d5cfa2d82aa17d64a6f9a2a9ea719a2e78d488183a62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
de8ee3af6714364a6dc4c72a0767de24

SHA1
9efcd702c436ac33a28a7eb71844508286453dba

SHA256
c708815e3f14fac5878e62b7d069d3f57998c43270fda5ce37b682347f6fc8c5

SHA512
0eb4bd00e285304a9c7893c8cf6451be109d7545ee53e6daf31fce787abedead3128a1ab54c41891fd98d5dde750b4bc613cfa83d2d3aaacc5a694c040925098

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
13204f570d8837feaa12a17d37f51735

SHA1
993c34163e75a66800fa866e7cf5e6433de3a0b9

SHA256
67e6e14a8d0d35eeb5b50e2b36f358336ff2f32c3a38925a5e9d4259199cb258

SHA512
dad567a3db0c94ae82e541cefed5457ded4df7a2e6e6bdc93630c21a7fbf10047aae16170c70e65e8fdf1c67e488fc54681130906fdb6a9e9dd983d28b64703b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2100087a8484483c7f62c0677f0f473f

SHA1
a4afbc2fefec0538b1718ac973e464c8e3eed866

SHA256
b74033f09e5891939b565f2da1a944fd852ad2140c95efffcad7175972744718

SHA512
a51380d5fc987b9efe2945c687fdb314dfa929d7bf14908176f3e9caa9edaa8f744a02bda084f0cca0697f59cd0cef47a48911b3ae00ed5246fc11c67096ed85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bf49cc975019bb3c46ba0d0d5fa9c3d1

SHA1
1fe52d3c6dbd661d1a060fdd810c8ccb3ac312e9

SHA256
5f597aa193b870a3471d99f1445db7fd01ffd7de23997dab460c86aea94e2919

SHA512
02efbf196447b183d19d154a6c4e00ed5b97c9ec58c3c4777d50c414571454a5bee66bc5f0706e908f6c964ed6d5b47121952cfc27da5a895ac691406fc14413

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
24c918052c7db70a3e802ef0cc5d4f7e

SHA1
bfd3f3aa75f11013ae9f24b9d2ee41b18bfb24e0

SHA256
b1fc35f0c654d175c7b4ca4f8aa7f4751cf6ccb56885b34a00b67a78f5392338

SHA512
e4a40c26caa0649403b86701844400cff88263d67065a1657168eab21e127a77f99f65fbeec6bb3baf8d3c989427d65b66e4b66c7494c8f7573a241d719dc39d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6890d87dec0517b834cca1c2452fe129

SHA1
cb8bf74003dc87078d0a6f7f0183b1f7f386cfa8

SHA256
bbf9e9a5732154fff1c2d7b8042a0d3703031bba107c743e241cbaaa16c9dc64

SHA512
2486b2417212e8380eca87a02a3ca9a5bcfb6dafa100034c4fff5082a67f22410a309a6fff0dc4c7f779c11086856a9ee9f9f3e98ca325c123f56f6433acf81f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a6ff23a12a4ef4e81e3ed6d4881d3c83

SHA1
728685b612d6c7f04c1040689063956f633a9207

SHA256
33c34b2a2c987f6c3809c4b9864ea7b0cf682a030f89c9ffe74665da335a072b

SHA512
271c2fa7efc71bf909075fadfa352bed584499d48467c668d649fec470e54eb2e5d46efcd70e71dcd9621255e00a0fdf98d8f0665634030f530dce94d5fce009

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1824b84243a84c95cffe60b84fd8690f

SHA1
9715f3f19b99c4bdbbcaa9f26158b5a167e3ba5a

SHA256
f10517f7d6692c659bc78c432e7d2969037d7da98fbb583e7a84dff30e07544b

SHA512
a1960231e0ad3f22eaa287b82ba44cefa7ab76a5f78eb6bd56c185bce509f916db35e97b05350df9f0ce78389363acd2c77007bec3321f001afc307cb135a256

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ac6c316ed274d1e64c103da2fd49f50c

SHA1
ab7ac28581936839dc9555215c2c4782ea2cb19f

SHA256
79d15dd6912ad10f291979691b6fe7f35289829278b987078a17ee6503f974e0

SHA512
d1938bde5850881c7d191b74b40883a8a5f5a3380439aae669f263ce8b962dab5736b88f7666930ea7da8e748cab7dde5c33ccc0302a086dea2f51a3c3dbbd48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
eb6c20ddb371cce9e493c0feb40cecda

SHA1
3c843f78d52749ad4a70d6cbcb0b7862db6fa91b

SHA256
1f0ae36a226ad5db29835761279f629db59966aecd2a1071379688491e4f5d89

SHA512
913386442e751520bfd4b99c9f4a42939360b6978e30e8e0c88222fbd49a4081ca72718c156f2a962a653a05105b4bfe87bb83bdd3441c86a835bc5800e4c09a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7cda32a62a9281d6602a7aae55409a90

SHA1
3e3938856f4f74373150b53c6d034a36b877b2c6

SHA256
f7fcb24c78d84e10f04392c250d924a90f72e22c9b17622d69c5075f495ca48c

SHA512
a751e0bde84100774ea8147dfab7a2c8388a3020ddb02ca5d985892bc2d72fdfd8a082c4eabe545ac0a299a4eb6955a13de100557ec6e451ac44a9d1f3d12242

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bb5e2bc8453582facb265bf0055bb809

SHA1
406b3a4deac99e728b660169f465447034e7b2af

SHA256
f3a83b945d87a24cd451f1c8c2d0018bdf507467aae70fd7dd39d4e0eeda0594

SHA512
e328b7c2ced0f5b06f1c4992abcaa3d942b826ee6e3885fcafb2cc21862a5d828b6133164e57db3d61c4c77a0127010f3858dfb91bb47e37b51d35500437d008

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
60375a3f54845c5a283d1d45a1f23ed9

SHA1
e7e34c0ae37c881c64ca627fc98f4eb309d9fa25

SHA256
498c177e151641921fd6f7af4641dc3df3b7a0894aee9d808bf05574431142b5

SHA512
a10c188e425face5c1d7d361254226d5d399b9c4a224db01cdedc2d0916e15e35b372d52405f939c1fc13e278d633cd7a5b270a2217c2a41c416b523ea9ac1d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5a5ae6f154e38686de13748c4245f1fe

SHA1
989d5bf09277b8c9ebad5d9055e461231f18a1ab

SHA256
01391081020eb4496baa7c8571aa77a67a17af56ce6f420e131e9d3343cb97f8

SHA512
6406aa1ecb7d4dd66a56e8662dbba9d600654da338a4c4426071cced8acaa90d43f29856c649c139ceef27deb7dca3fa0884bdeeee02f8274d2ffc67f7db339d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
29750b8c0720aeef7466000e30f10e85

SHA1
d0bee02218c2bfc9bf9336e3d83a7dc79f0e28a4

SHA256
f67551060353864119a933753e8fe5f51e1e5a10000a5822c5c074a2a51dbc43

SHA512
4183f599f636c7386a07e375b2659037212d850ac1a4c8d00205de8c893c56bd8f9939ceda954be4d9707d0ba964895a423501d9d310786f5d3f7ab8c23b35cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f565d49a7a0cee095b3f1f1584018d70

SHA1
312a2457ca99ba6d5be02ae17a30ada65aa90216

SHA256
f5d6fdb53f8972f40e9a5a716561cea7edc49b5507e5da7d375b75746e69d589

SHA512
7db2b75e824d88740c090d2c0bf954ee8ea038c95c8419d7686fc4d0841d963045d7dc5a94b59757d2e0f0f5d2f97dd74356f3d4320d02983e8c2c232e40a78e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
c822787318476705311c77cf8133ea08

SHA1
679d6cb0fe315e1b0d767a62bd96adedd8320ac6

SHA256
f98627980167559f86e99dccbc5c82a2a0b1e07fafebebaa66c7b3286809b754

SHA512
1f42aa528761d87782b0715e600f72d005bcbf95e07698dca875d9cd8615d2674c839da9057b38ee72be6f7e137a57f200ef321b347d5f30ee9b6acb43a49719

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
92bee6d4664a9e549a879d9b4eafa453

SHA1
ce8545ea6267f818f30f34e66936549dee3140b2

SHA256
09d311ff4ce325fe8c0bc807aeb81de464c22a799669ac5d57b083b2376a1991

SHA512
8bcbd2b432a76e893b6511feb9da89c315c1316fd7c042233b601aa629139deb21a292331ddba730adf53249095ded51d5121d280d9a55cd110f5e8dbdd4c819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
328ba25d2bf48847bb9e7b2c15e4b8a7

SHA1
9bac1cdeee5da28d17c265080d8c85334b4c4e5c

SHA256
56f633b3f98112b99d2947fc806d64acb75c9e76f54f688ea1bdb1dcd8dbd2cd

SHA512
558e6c9f0f80604e42de33576cf3a47a95444d7329b8830869be53d8655fdcc6d0785183c602954632fec5c0b654b4857ae4d8d01c3e645104a1ae3d1a200cc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7cdaf8d65ab517afaae662bf64efc754

SHA1
21af8ddfe73cbd61ea984eb86dcfd0bd634569f7

SHA256
44c4b83339f10ab29813a187daa462093ec8249a3e679f78bb43c244923cb0c4

SHA512
922944daabc22e2361c44f3edddf9d813aa73fbee429d58482e1c7c30776acf5dcc588086756b48865b5022c7811780d89ef5610aa6ce9c3f886b9c49bcbd686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
75edd19ad9f6938cff90e2f329a9cde0

SHA1
1c5e2bc0eaf92ce707f4f2c313b5ea0624bcb88d

SHA256
8ba14d1ba413227a2ae1105312fb7ab16edc24cb0c5d5690e9e45a49cb28dc2b

SHA512
d8bad3c38560fc23d2d31a8dc14b2b3f2b3ba79f82f318f63788e2ebc6ab29874adf65da1843687f24677bee808ac684dbbf8fb83454de7afb7f2e71019005a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6d6f31eda4d61325a3ae3228fc303349

SHA1
da92eb93871cc3358247ebc5c83c4a2510e8dc5c

SHA256
c16e4bc98a3ccbe83888e92c14a276dabd7e450464cd6c2d7524fb8886c50ec0

SHA512
03aca7a52a20a273b1e5c2f1f49b228c420f3cea83b4f50d4f033a7ea983258a734b5ba8574d8f88106c3de2855be107f578790098c1d45ecb8655a27a844be2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ddc44ef313d0b93f12949a7143712329

SHA1
751d713b368fd9f3792f278eabfab6c0e45d43d0

SHA256
5b3e7a60217e16fadf3f82767fb363f93de177c3ee0657ad4f7ba9fc9454ff9f

SHA512
d5d1bf47cc4789c3f8e6a932ddd95fadaa605427e8db9440dbf0044a2dbd773a1269c5ad755cfd9e86fd4830175a0c243fff9cdccb947934a8cd4c1d13bb9f5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
1056f2709608b844ec46d36584789132

SHA1
8686347a74e98c410715d89765ddf0068116bd59

SHA256
8229443554695c371ddb8e27d0af9c909c395f2c57a5ee7fe885a859fb5e967d

SHA512
acca7eaa840e3476ffebba342eaf5b11dfb801c071212cea55f446b9d6371beda4f736122b621ac8638784ed64033ff17debd19d75867c122e857e80abe1e018

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
216bddf3c5ae1b712a314eca4b80443f

SHA1
04b90d6a3a36bda21c5cd4d60295873c929a932e

SHA256
c3ce8b656260c582876eea2e41622707a3df6be1a34f39083d53b5cd3b483c5b

SHA512
906bbfb78c63d74582ea8f07b3e3822eb5678846dd5e580b66c5023e38eafe9ae560fec5658984dc2cfab374216df2db2887df7d873b33b95e08406f2f2e428d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9bdd60cf776d5b31a7d056f8143ec9c8

SHA1
b55fa6523434fb3907e46552af71759639bab7d9

SHA256
8b40dc1bc3d95e856606a4c65c715b7bcd614caed7ec8d2ee3661400e5862be7

SHA512
754c58d6ce562f357578c9ee080129268d34162972d1e60e127ea743fb65b7a0ecaf1716aed642fd3e1a6df6ff808a4fdfa1bacad74ca66e4ed9daccda973429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
268e3b40f27dbe1d8620ac8b654e7f5d

SHA1
0eac15c9de5b858d134706088d5359f66aef3db6

SHA256
29908ced319c432f90512727aea5852b1190eeaf51dc979c55ebf9860efe0232

SHA512
6dc7f4931e6de807a3584e240285667c30c25970b95bb0624313a7a706d180f3722fc160759226b54226fdbea43b81e535afa8e03061b54564349983d5c4fdfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
d2140caf5acff834e27963b24a561cc5

SHA1
e14e48910a86240f69698c11fc322b7c1a292e94

SHA256
5623f770a50f00ba1d5cf5600269137a08e3f934ac0fa4a4c4780bb6292faffb

SHA512
cf2698c01ce1a5fc14f7e03d6358712f1fa7327e84b1bb1a63020c83853a2543447f0a51d9e093e67f3bd727197fb31998e67ea555d14a284878fc6a5e7c0eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
4fa8f032fc7a2f6ebeddef6882616e41

SHA1
eec58258ab7f071dad9d88498498b9d12e25eeae

SHA256
0d977229121e1fd1a609dd532fdad7328f76449f1d50605005a202052de01f44

SHA512
688d4155c0e21890b565015651ccc7e2b5692801fcb936b6ce75b63dd8f584c3b224932e35d2070e0a863cdae39b3fa238c4f5a142f1d0c5546a872c0ee288a4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d9b22e6eda23a4931677d8079dfee61a

SHA1
f860483d5528aa379e3ddc3249516c2efcbfe2dd

SHA256
990ba1766d96b37c484b66eb412fa5c19e8cc05a0f8587c6a9a50929e0395f0c

SHA512
5a388c0cd6356c43d3358263aa35371b88fc31be186d0c0365ffe50cbe97d6f2268976c34122096f1b0039817e211d2d08be75643f294b6614fb3b7180862f70

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
0961ffce1b9d83f8ce5c8632814ea720

SHA1
ea8a77689c7873f77ec3fdcf45abaeae4caa31d8

SHA256
e2f856ba5741cd9a83e8bbf15ca45bed9d3b667398e1cc29e79fff644f742d5c

SHA512
d8c53ed21eed27ff885cbafc6046d4a68a39139a529172c00fb0ab4b3679eac6ceb9a319621c9211b4bec4ceea58e2a7f02ca0c971b3fad851309cfe1624ecd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
80488f19f9cfb631733051355146d0da

SHA1
8dd3eface34544985d98f8ff31dcba19f4cd40e8

SHA256
747fe9a4ce5f5f55b08801ec7a6a7821a4e3f618284907527ee7de7d92a382ea

SHA512
02fa0f61e028a11cbf92f79f5a86b20da6df9acb8c6e7a58d17fda4c9413fe3b6bc21459744a4b580397f13b3b8ac972e3650e26681394c20c72a6c993b96f17

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4d2e28e8fe3693fcf355ab6bc5156ae8

SHA1
a273cff917c95afe6dd46ab69f87b6d5384cdc03

SHA256
5defcc1a14827a11814e0fdc7984b5aa277aefd0805106a596bbe74d937ba1bf

SHA512
179a4be669c35e67502bae167c1b27317b6761b28c1d0b68dbd27e9a309a97d41124aedb3dfccd3693ac6beed542d88d6ff4b04d2e06f86c5d4ca98e3b2f375b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d928a9c95d235122dff76a61b845ca1d

SHA1
48e3a58d638e7190a1684bfda7fa1b8d2b83eb52

SHA256
3ddf0d7292bde7071cf0694b299be916468fec6c0d76e3622672030f37469f6a

SHA512
61f6dac3a89d9490d25e6d5674cae23ce5a34122bc181b52a45b9a6343714acaa9839495130170f72463af72761daca3b9c34b49d1e8cec7a2463731e8880f5a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
463dd9140d8f9ebd1ff26a69a8f123e1

SHA1
36540947b6b58ec0fc9bce6bd0ca0633e6872227

SHA256
39f3ecacbe47e45bc7749fb2deea8f03861feb83ae37902bf35a47ac96f0f738

SHA512
2c639181532f673e68c32adc7349473fee6c32c485c76d762964db9c0f13e1bc1a3ab0c4d1f6b796455f874aaf8f8afb7c4ead7837c084ea7aa78e7c1b99eb31

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c88ea9a3c7a1f727895e01adb7407390

SHA1
87d70932b14ab005b89de867a81d819f6f86016a

SHA256
4c49110fe0f9ea2aba70c29e3a94b2e8066d5513df7ef2e04927e41ea33a3247

SHA512
476eaf7a47a4edf1a2a535b0726a3b4421482d99e2de54e2df12648d4aea008ce2ea9a4088a78af22244b2d4802036243d7c6d8d8a3c65dd78bf80d20f87b7e5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
1edfcc8c6ce3b846335065a8784acdbb

SHA1
cba53ff669e3d81bf41ddc70c8fd30be7c70192e

SHA256
b2e23084eff307dfcf2488c3a20a8dede8ac751cf828b5a8921108dec4083e65

SHA512
fa9af34bbf1c83f7c520e61ea547d678f96c8267b5fffe38e529be47762ae4ea272cbd4b1ee2d9fc9ff126ca011144c01eee7388f582793eb1b3cc319eb226c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3fa8b431894e9d009f11f00a56574195

SHA1
4c79f906c2595f304ac2ff9eae009af04f2a0801

SHA256
ef907c720b470bad941668e890ee0b6ad8d9a1b83d03d83b417d4dd6e50a4e86

SHA512
6c3d10218126dbc13c9bc867b7a152445ca01803e52848ad1f805938abdf5ad3b91b947f4904371a799e9610748b7c6e553b390f132c399cd57344e610ed12f7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0575ba95e55b4fbf2907c2229c357d71

SHA1
8a66c03db1863586ae0636acca8a11d660bc39c3

SHA256
9787ffa11fd49896ce5c57ec77ae704b58143a7a464e5fa1abcfc47b70af9b7a

SHA512
d03021786cedc4f1305ed9de5bb6fe4b61969a3167671d989cac62bcbd45b1c6239665530f15792cf4051c32659d40fbde0782dd378a35c72a9010110e01d2a4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3298c14bfbdf857c5fb287847ca0bd9f

SHA1
fc70ad369ffef8cd2f58b1cbf7ebe37108fef3ce

SHA256
899b7181139b86c12e37533a452e10f90da24ed83f106574ce923df9be931226

SHA512
009b9cad9d7a5807c77a7d574084d67cb278d4318b4cc945d7c7ff300a1015c73f1d106f0a60a0f46b3d086eac70409f6a8be8aff43de6ad872623730afaa375

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2421b5c1a358da516eec93835ba6ca2c

SHA1
2103c80812a593db73c0c6056378b6814838ba73

SHA256
83c54fd34aca45366637dd91fbc58c870efce2e1bb005253f0c4b4a80a4e982b

SHA512
5bc60e10e43b52e908de238c4493ea1a834095e2c7268e4ea0f8a1f4ee4e8667071db908c3da4730d6808a2379296f5b6c010008e0eb4334b3af71029493a8b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
edc77f719a8edaf462bd5819d363240a

SHA1
301956e03145cb83467ba58d5ea71e128c420cf7

SHA256
7015e0a4e9859ab2e99256b61a2572baabaf50d8c294c2d21c9e64d5b9487ec3

SHA512
d06341bfd4b86f89d41f81ec582acabf23524dbde946cab51cb3bd050366042fe2176b02b04c08c25a248d8f526457736e514c5e09057668b43269d9706fac74

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e001e71f9c57fb77bcfde41d79968ac

SHA1
2761ce5c9c60c5d47496050fb19aaa2b09999e3d

SHA256
8a2857a8aacc343f45f2329e463f394c0a13c233e121b8ae3829d617dda1dddd

SHA512
5f3ff2f1c8ff8f89d26df9b842b9011c457b142eca74284dd16de3d4ff606ff0161a47025fcdaef6533b4a1fb1154a492040a6eb5544b7cfcaf456f5ee760d33

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a260ce7432ebc1877e0926acfd1d32f6

SHA1
b506d05a9aa6fdf85e4f37d6322d3b2698271b69

SHA256
32a84017bb470c909e68042e6bac2deedda0100b7c2ab5604af6d55068a2f153

SHA512
6369400e863db0ebdd6f81d70549f60b8e44bc37a8eebb17ff2c664c5e1e4268bbd1a83005b3094bccdef03aca016169c69de85d0147b2b17de7b6c6af98917e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0fe2add3c7f5b9ea1f8dc7d18aac26aa

SHA1
91f7210dec0686b217bf9a26bf141988949d7b45

SHA256
842b18b432c78911862a0d25e52669421d663677d6490c2a6563fb077766f6c2

SHA512
5002c7f90058ac735f14aa045c714e5a65afa5291659ac9ce9137882db4fa7867cf3199730a6af724d6530f7ce87276280470113cb9c99db6cb54d0f88094d01

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ac8d567d98ec022f8a708ea4d267b793

SHA1
0f3d2ac4bffe021c3192f17b6dfe1b0a78e10319

SHA256
5c6cfe023987741213dea2353aec4f9cf37ee00be7bb6d467952c6418fd3da25

SHA512
4e46f60f5571345161ef2c70c6a96d69f2af59c04e83a7d9525d6846d7498e2c16f7578e051106824998537e43ceaeba52a2d7a377d0af6df7770525e2cdcb24

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c8f45725d6e9f5d78821c48fef20d5cd

SHA1
937f7548a4403c030bd5e2642bc961d9e526f680

SHA256
ed780674f77205f5cbfe764b8b4c765d5b460fb7d061c90165da078890ab0194

SHA512
30c43db26909cc7b0e9ca4bacb451b4c6564458cce650a13a52b47da622f517c7a0594c3c7de16244710b63f8f4c0085612d98aa2709597882e8ff333a201061

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c5f4b43122db372afd1ddd6081b3e2d9

SHA1
e542ba8b16fe593cc541a5e8994cfb13f7fa19c1

SHA256
0dd534d2dff6b085519fb5cddc09afc790899d392ccdd2544de111429458d0b1

SHA512
b92686a0bcb1a0e1accf6534e9119a8d37198fce563b48a54275a016aad4a69ef9690692e1215d212b563d4530bde239be7e785ec9b6b0d7ea2d7bd642491be4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e8552cb7b89da1c60a100335893b757f

SHA1
3b34e799bc0089b7e1dd5a758cd3edf52facbaa3

SHA256
18b47ce04ddfbe03ad8c78d58e637a53c6a57b1a04c828ebd4e577854edc478e

SHA512
40e51ddaf582fe5b07a7ca7a6afb3d3529280cd245baebbcc6357e4711fb25a00a8613d4c0ead666fee3a393f7db661e1c1a7b73962920c9da1f51e485506e0d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
23eb219bb107f507fc43bfed80652fb4

SHA1
c2258988664c812a8d9d5546a2fbb265b26eedf0

SHA256
c1374ea2691d2ee5c10fedadb6c77a1cef8a8917ab752df5ef4945c1213f4eeb

SHA512
4825b28f91b063db4993e1beb6e517aafab5d0c493dd8d3a8b38baa5e808c631ded953ebec03b0c81e5f179bd2a2d9d313960087d87505dc18c1c4e99052e700

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
bee45bd84e6d22b155d648a42f60fec8

SHA1
65dbfa48be828666f8971d38c25b9abbdd7c7c94

SHA256
c8a449eeb20d6c8e7860dc37e9318db4b5d7929f6a6395222dfed193c78bcd27

SHA512
92f63805f47fdc8ad4ab675f17646e7446b41be9502ace88679db46b80c88995b477583d987d257278fdf4c66696d2fd85492c5bb4d021c4a9077b88e15b9654

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
58b29543e2bfcfb6b9157707095f9baa

SHA1
b5a4de1fbc07a13b1d365fdd83e670d587a2a1ce

SHA256
429299984c1a01092fcc10dfcdffc5d833adc3e92473c6d9980e7d4c43b35700

SHA512
66eaf515d03220a24e3fd0d617445670f74a1c555c930865f8ba86050607840a38e3b1ff8b1f06216ce3d2f9491addcb778bb278561915af8488b5b9f3c83fc7

Download Submit
memory/448-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/448-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/696-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/696-661-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1156-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1156-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1156-34-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1196-206-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1196-660-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1708-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-543-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1724-138-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1724-259-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1768-48-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1768-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1768-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1768-38-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1768-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1876-194-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1876-656-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2388-161-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2388-470-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2500-74-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2500-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2500-87-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2500-80-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2500-85-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2768-216-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2768-97-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2768-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3008-666-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3008-268-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3112-665-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3112-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3352-53-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3352-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3352-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3352-59-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3400-110-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3400-231-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3412-7-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/3412-109-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/3412-0-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/3412-8-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/3628-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3628-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3628-22-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3628-137-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4436-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4524-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4524-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4524-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4524-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4632-241-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4632-116-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4820-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4820-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4996-247-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4996-134-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5024-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-659-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download