76182839fedf03f84dc5b962b447521df50d5985fa13a1e08c8680a3f644a00f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Size

712KB
MD5

2e203b80e0b2beeda861990e9f50f299
SHA1

dc1ae218ee7487f78ed7144a56e573f7a1118e66
SHA256

76182839fedf03f84dc5b962b447521df50d5985fa13a1e08c8680a3f644a00f
SHA512

32377f66d6b2ee9dc1ce2890762adde7898e748a3ea14375d97edb6a58f5c6d85072a1530a6e19e5601dee887200770441a52d322736c40f1fb1d49551e98e74
SSDEEP

12288:CtOw6Ba2geKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:86BJ7ozX0j52pMkuLoiSJVlIL29mhNq6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5004	alg.exe
4800	DiagnosticsHub.StandardCollector.Service.exe
552	fxssvc.exe
4660	elevation_service.exe
1188	elevation_service.exe
2972	maintenanceservice.exe
644	msdtc.exe
3468	OSE.EXE
5056	PerceptionSimulationService.exe
4672	perfhost.exe
2372	locator.exe
3208	SensorDataService.exe
4500	snmptrap.exe
4336	spectrum.exe
1240	ssh-agent.exe
2792	TieringEngineService.exe
1116	AgentService.exe
2652	vds.exe
1092	vssvc.exe
800	wbengine.exe
3544	WmiApSrv.exe
3152	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4280720c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000679ba9be86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028ec98be86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608a77be86acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074b17ebe86acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a785d4be86acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fb35fbe86acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c837c6be86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeAuditPrivilege	552	fxssvc.exe
Token: SeRestorePrivilege	2792	TieringEngineService.exe
Token: SeManageVolumePrivilege	2792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1116	AgentService.exe
Token: SeBackupPrivilege	1092	vssvc.exe
Token: SeRestorePrivilege	1092	vssvc.exe
Token: SeAuditPrivilege	1092	vssvc.exe
Token: SeBackupPrivilege	800	wbengine.exe
Token: SeRestorePrivilege	800	wbengine.exe
Token: SeSecurityPrivilege	800	wbengine.exe
Token: 33	3152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3152	SearchIndexer.exe
Token: SeDebugPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeDebugPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeDebugPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeDebugPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeDebugPrivilege	3580	2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
Token: SeDebugPrivilege	5004	alg.exe
Token: SeDebugPrivilege	5004	alg.exe
Token: SeDebugPrivilege	5004	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 2068	3152	SearchIndexer.exe	111
PID 3152 wrote to memory of 2068	3152	SearchIndexer.exe	111
PID 3152 wrote to memory of 4412	3152	SearchIndexer.exe	114
PID 3152 wrote to memory of 4412	3152	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_2e203b80e0b2beeda861990e9f50f299_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1188

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2996a9fdf02b5e4e624ed33a9c8ea461

SHA1
a06cfcba043f362c769e1ea6891217f1d4ae17d2

SHA256
1e145b8aa6de9c9a5e8bdf9ae026541b3fde5d103582f083378b931b2fc1fb43

SHA512
e53db80fe65dceec4b64b7ce34ad32a03bd58bd8c13049fadce8d338f6a01299e05b1c482dfd6ce153ab55bb6d736ff64332d0f77d89112ac0b837a7e1c1c90d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
98b3983fb788344cfc4b3a3c8f4229d4

SHA1
e35e1f8d48300cb675231f0113323b5fcae461e0

SHA256
f0f03b3760b0142ae14ccb312af1342fe145dc8d6d170216b4dbc0957ea449a2

SHA512
4473d4fa4a714d575c4f6d39c948b69429cde6ea0c402a46d444819f58c0bec43bad4941a2ef6afaca4e57da0b0a5a5247db6b8cc5c714537771dde70cffcc5d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a82bbd517ab958e40901c90d134e9780

SHA1
3907b9e7938f5d495ea3ae4dd5b629e8277cba51

SHA256
d1fc05e951ac2b9aeb87bee39e3b04e05901a909a108c708ae6f837e7992df39

SHA512
c064de79dda7f5ecc7d92e67ee1f6f9fb8043b48075bf0b1c381b25eb0d0e152181dc573a17a1cf8126b3672fc993d6040f1749dd9bdf63e5958d0fda5e9d61c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
10848a715d66157a0b2d497625ffa40a

SHA1
0890c200d39b0864f2c895584092f02ec10597e4

SHA256
44abba14580c35cfb25d3d114351aeac0d9d2e403dfe8288a628fcd0eb4744dd

SHA512
21549bd873dc06d36e58177a873f97275a0eda89a2b1863500cd7e3d9bf1b1aa3582b7085ea4e21e36078a6a3382ecee44cefad1e2b426cbccb8325cccf3ed44

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8408b6264fe9144516772ec5e8b7daad

SHA1
5960c9f1cc5bc803d588798435d4d529344c43a4

SHA256
35a32fa72d185e9a965efff83650476104596c5f348c562959fbf9cbf1c23276

SHA512
29e261da03609612b7bfbdefb9d7af620c3281106ac52f28bb97e07ed129509eb75e2abf7b9855b8ecdbca1669198217a9040a95d469fe4937c4d94b3df8ea86

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
284e3f4f8f997cee8cf47cd494692524

SHA1
5b5cc6a9d863c4c5b4a22348cd4e4c1f6ca958c4

SHA256
1426137b4cbb1ad51e3cafa7f56756bcaae5c5649dea96ed2004fb93b8f46edc

SHA512
4b47397677420e19e010c0295558d76bb23dabb5a84a2f5bc48d05fd276314895f5b0f2f3cab89fc67e0613ea32eb466b0596b087156a65f8ed0fc9e7f0f700c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b4b3f75e5ce53786d40c47d60ac43f4e

SHA1
6e815765860ed40932335f335cb003c3fad699c3

SHA256
7cd0f92bc772fe634de727178229087c0c4589c87bf9c1546d7cc34b005afcb8

SHA512
b07b06f4800dcfc8b59c85a01ed24c328e5280b5f447bb57d0c681c0081aef98f572a67466ef787d2b6a7755363cf8add45c62e3e29963f3ee6f27621ebfadfb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0b68d7667e9ed7e7beae3f35491b0053

SHA1
84a9b5eeb04f1b135492914833f6a76cceb2028d

SHA256
f30605042fbfa9bc8018f9f1ae726a82ac8320b1e4c0029d95b6f8488be6f8dd

SHA512
20995d5680e7d09c7793a829f24abc11ac338fdef7e73af009c535eaafe0a6ef1c932dd886cf0fe5340b7a0c832bce70298cec52467c52f92044df2b16149c3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8da4418e3f8b04c0014a8213458686b8

SHA1
5b0c382143390255aa49af7294095f225657daec

SHA256
dba655597ebcd5710b133d0d3948c6d55354fef5df54fe0c08557d2dd4292641

SHA512
ce94590a5a985581c1f689f419ac7861bdfd3bafb39b0ba2e1f7b455b0caf2fbc0ba31b80d1dc6b0f29ccfb788de6b9cc24e5e2937b9461ed4bcf61855aed049

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1b694dda7839113c08f2bf5e69851d0

SHA1
aa6e603f1b540b1fcef186eca918e5e9246893f7

SHA256
7ac09ce85711324ff346c150e86966e7ecdcceeba4b788887bbd6c72c777db08

SHA512
a789f93e42f50cf2f22008536bfbc8719606a2a765cdce450aca958ef4759737a73c6445f003249bd9fd47d7a53675ce9631e9f5b63982c46c0d7e44df51e949

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ce0c5aae793f7c4d1a82acb60a9929f5

SHA1
258f4eaf8d93aef4144f730021a76c31753a3dad

SHA256
c32cd6517b00941d0676e64a109ebcc494d3b758e17ff7d8781282f07b1b127a

SHA512
5b028b66c5d4037a81546b1e674816416602d77a0792121f942d954ae734d59024457186529bfc6d3fe113c968258747d824b5c8dd8f21f4b96b9f2f4bb821dd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7e67a1e8d0faa4a8c1ca7dc8760545a

SHA1
bc7a9c0112107939a824a51d140ddd6ebed26461

SHA256
5389830a75238560e2674f9c4df9624147984b3d3fdeaf2b421b72fa3e66aa01

SHA512
ca388491c3a6545918a784acf98472116e2e66e275b3e3f8ec31636e78770c1623aff3807ed37fe7fc48773f46b57dd3b7e920c9c84cdc05689e433493873f08

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cde7edce3c23dc3491c962d115976f5e

SHA1
2562ce704b6447791e7ecd7e8a7516a81c3e96f6

SHA256
e3f1873be25d2a255a1302cb6b26f31e114357fb3fab035ba1caf9d4f562c537

SHA512
7c045abd00cb14cb071bde3da44f2b68eed5cd05aa8d88bbc92f923f335ac8af127e3c5f4c8bccf577bf972456454ac112c33d822d582357cec7da5be4a64519

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
afd638a500f957b41ab4b178ccfebb29

SHA1
2df375e152ae878ac42d80d059f0519c7281dafc

SHA256
17463499acb63f95d4588fa938db189fad7b78e5f8fe0e5d94f333a524e800ad

SHA512
cc8e4d5a4a760e9743526b958b099437de4970c6f77f1ff27b94acf85b9d492cff90902a662b4bf35d73d17d3dddecaca4f7a8916c5c7f8eba9a6d3f45db8555

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
44d32508e07a1f71e5d1f3870b485f3e

SHA1
dc716ab34e59e82b7920a7143b3bbfb841585e51

SHA256
b0b382b94dbc8e04a4652f73cab9f9441e85664f2188b08ce9600cf4a4311c04

SHA512
5842c6ca7bc1d7774a38dda41d794a41060528b3a1d8773865d1248b1c7658e54d108ac15fc5204e00d2b19121a924aae4f1b6bbfb62f071a5088d6d2bca86e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
867bde29ef6a11703344071b1172c44c

SHA1
6e3169bcf158852894eee4fb6b854adcd9df705b

SHA256
6219bf278082699a814d6594e20e6a42e65afd79b6a0cedfa727c30ccd849e93

SHA512
7c577d06b83604ee8085f7ac1a184d8f17303c75cf1057cc79b2eabfe875375e9691ec075a3c42d7af1f0f4185020d5498126ae1b5168609f73f7279c7b5d1b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1924a258dbfcb315a92cac51c1fffb4f

SHA1
936dd665f07423098f919ae9003fe34461298484

SHA256
8579a2f6d432daa548c7d17b90ff82a9bb01a6705d8835518a9057671d2e8d33

SHA512
1b8c1f15cc8defc8bac7ec1ddb579a13c1090d9e2cdc8b1f75fb59b353962ed6d64b7bdc2698fa7746c88ed25b586a4ebd64ee2c43f4b295b4147703be063602

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
57c9ea112d804a2f87b252f287971218

SHA1
bc74ec283125dd16d6721358452eab0a7ad052c1

SHA256
d61fe853209c4daa4b7d45731b625da20f3ac98d7987026fc81b58b5a0f044c1

SHA512
0219f432c993a20fdcde9d233238d49f32a389de1597a53ed0a7c9ae4c20a8307de4cdc0b336dcd9902db908de49350acb44233c38690c875ad15117ad6848ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
630867f64435f277c0750e9583e26876

SHA1
8d7ae5cc8b140c0b2557fe3ce696333fdf27aceb

SHA256
a50e9c9606c829426d970cc73588f9b0cd83a6e8222ccc6ffff813b2b51bb82a

SHA512
74554c5ccc0663da44a1b9dc537cdfbe2a59e53f69bba09ab36c16a0c68de8187a61206981873b783b0b624fc3b85a1b2b30cc8bc3e929a298e45a4ad335087a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
94e33714e91952be265287c7f0e3dd9f

SHA1
18e37a01735cfc493f9342401152dcf47ac47985

SHA256
f25d4806fb3b09286dfc1b537f0123635cf224a0af412762364c58e0c6dedae7

SHA512
bf54035f770131630ddb75f268703976363f1413fddec726baca09307322967b0ff04bfc4846abd3c81539c5753735bd3e2d5a1a4dc793c259d482c5a0b8f43e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
badd78387468440531a9ab6d7d63af74

SHA1
a00e728e1fd6b1ef17837474c96a779e38a9d33b

SHA256
cb2cc2c1c31295f989e40ad9a5b68d54ebe03987a51a183948e92deba8e9508a

SHA512
aff9928bf43d5868cc76cc7c80a248a7c3dcdd9e85ef5cdba3a8691d1d4775641938ff610c6c3a775e3defa18c11a15e101139439be03f18a8fe415c06bb126a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e1b2f9cc7599ba5662b238505f0cf356

SHA1
e3938bc3badc7f7236d13c85a748864a45650b8d

SHA256
1313dd757418aca92f8bfe6ca4a17d956baeb9d40d66461d4e44d382342128c0

SHA512
a8ae1ad2fbd590dfa929d49e491acbb40aecbcf44c5648a35647afd5f55d82ea797600aa6f6e4cc86e991bbeab9271d494e0cdfb1529ed16d3bf58c39f0f317a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d13fcc389043f89200ea4d1707ed052b

SHA1
cb36a705e33c34c408b9bdd2c0d0e0f8f3370c30

SHA256
e9e6e8a01113fb8496c75b5ab1d0005119c36811ae1e98b4b0b1c43cb4f1dd26

SHA512
88e6b082391dc4f26cd32c3ddc6c2ace5420a0d2d9abcc3466c3e3fc1e6e9e64fbdff4e3d2e9c3e64f25586ae9d236a9e3570815361fd7f07bc4b914ebe01cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ab8cf5e898da07e5c1c90267cb84a542

SHA1
1facb2d4c4317059bdb8bf1239e0d33b773c858d

SHA256
87d8640779b945796e105102773c7725a8c3c1162487f07526747521d4c8d51c

SHA512
f424436f0fbac5a725c2bc148511228629675776ed8b57aadf58de986591f7d9de149b53f04ec6291ff97f4da39a90ed2e277e80405d4e2c8713cd7425a865d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
743cca7edf9c1b6f2a7583328278e99f

SHA1
45fe1f699fe11aba01cdfd4ab3c29436f1766dc1

SHA256
4e07a360d3dd03699889582aa6475bcf7b1cdfec50ee007a7630ace3c134ad5c

SHA512
cade21314d6b3239b86354ac40af601313d8860f5d8b6433ff2d81bab8ffb5e761fa1480c63563c81726b9a29a6533b761d587e17d582ac6c5b7f18d64c0add6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0619f301b56e7eed39d72e2bf9c8d014

SHA1
fa49d2b71132cce3a3a9c1008c462569a86d1bd1

SHA256
70ef136a19afff7c4c82d0039c55a16d164463a314b2590cb35fe696f88cfde5

SHA512
6ed3d3140616c6700d223832ed705e5a3f7158841d29620eb5f8fd44baa2887f42334b87017adb98666cba67a1369c9e0fcaa737e50a273d6631da4718ff1963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9a993bdcfb86e2d5912682a5a7650335

SHA1
21073388e19c33bd88d5ffa751bc01cac167059c

SHA256
41475bf98a4f4ffb4715dc3fc938ccc45d19d9951ce7e9a468a0ed6e254384b8

SHA512
760dc08a98e664554b52bff8dfb7994572634300b769b58034d241399c74f5bfefddcac300ea78f6587adab02c5c13ef8fd29c89477e6542eef540369b3f47cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
62553c8711c3ae24045c239c08cb96f4

SHA1
18b3212fdf00fd13df35c66532ff0edee3250bb7

SHA256
dee782a5c0feb898bfb2427890ecc9bdf5deb00012587947e4dbcdfaebf0c32a

SHA512
480ad60a9aeed2f39dc6add30e3dd230cb0c12a2722ceefaf4c8247d7b6e32386200da058cf90915912eb87b76779fb4b873a2e5a4e7ec48f20da5aba505ea72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dc47b261335bbe62a2d12ba369c6f57c

SHA1
82e4dd9838f006556c20478f17068c23bb30e92a

SHA256
bb1fd4109c295bb5e97ef29178d3a116dbd58c659e4fd81bc5ba1616bfc8007a

SHA512
5f0b9e863cf2b4dec4bbd7a6be099ac815a3321fd83e2aab1a041c2c812aa2daa3ff9f6216ff27c9326ec9367045f737bc150e4fe41806ba9d6ceb981025ddba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cee63860cf351f1200104d89f4ad04f8

SHA1
be8b7aa894333f9d620e4ab9419819b01ff69f08

SHA256
87ac452981af8d67cd6947ed9dee77c3364b45128095ca4792afe117519e9fc8

SHA512
1445f8fe666248518ecd428387d6a69c29a760ac2b8e6ed366148f96b728478f1b6bad9c7dba52a36c1f2d0729c4a498305248bc0c21da056d2fade359ca475a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
793fda8fb682d4d04003576fa83507b1

SHA1
0d51623c56d94d3b12b18e20fc8adf139427e3a3

SHA256
ac5fb54e63847b10303c6ae356e56e04066568e1a373b248b4142244cf513a2a

SHA512
41101dd323d65bca9d45a0a9c0d39683a24a46624614947357f6c3a75a5b46a499112d1b14580ad007f8bf4ee6aba1f652670bf0e2bbef49b7180fe6ce57b5e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
57e0c0d41d5b7054bdf49261cce86834

SHA1
24971a0fe44243c19ec7d7128dba8998c74335d7

SHA256
c63d0f870ae867938c15b7705a860426b9021d6da9d6648f3af932dd9fc28a69

SHA512
11fb264d6a317bed8c87362e7a5f6114887b18ad2b42e5610643411f7a700c7b5de0dde974226e2ead23034c5b79352041a018786a3b3a1240c80397e30b2aa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bf2468ecf5516a9129b95cb283e4c0b3

SHA1
1313286de4805c6714e5ca8386875e861c4ad4e5

SHA256
c0280626103da7cdc5f821bb1537a5fd1295de28c18bcec41c3e2f899f4cda21

SHA512
47b4141a6c44a435d1d79bd5c2d2398f9f7dc30ef87ef74c70978f10af552447f765a6b0c3f9ad0045d1458a5e238240ce9be22dd8a81e1ae2219f3c11d78d84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5874e8154c14a3213a2b82106ec66f2d

SHA1
a1b7e474814023ed4efed3cacda81dfcaa24b112

SHA256
2a91e31f07aa1103778d5a5c90e7802b0f17a88514ecb7051d5aacdda29113a9

SHA512
86fc86d49bad60041099b7ca468e3119a34c7aa0b3891468c41385c3a57c5c9cf7cfe1914c84ffc2a654e1c4e775b50a94c0b269b1e8d40d766adaaf837ec7d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d263bb4e52c7c94b6d408bebf9fca31d

SHA1
2e5b3fb7c96d7330c03a7dca86de5cb3a19688a6

SHA256
bc92b204daa9ecfa1bcb8ba8b5a5194a88129a3e989994ba81ec0753716f99ef

SHA512
f12f10be0fc756f0eeeafa671d61e47832bdc923ebbc9c5af1456f390334656a8060654f242244b63dfcf3d4c871fcd17c9c89bb10c69547193c823f4868d6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9684fcb443023324eefc38fa4866bfe6

SHA1
f6653bd21b5672afe35e24d253b400bddeba403f

SHA256
d04b407948bb31878823528d6efa68433ba265f65977598f8d8f6a7a5dc0179e

SHA512
402fe3e531522de3c7447b777b3bcc51e4527d8f3ad0b7829fd4415e4d73c15cca38321ac79ce857ca46357ced2e4ffb9633e65a23f8f388ef0e3edbd452a41f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c6501f380145654aefd44d46c90e3fb6

SHA1
346696cb1e3f245bf4eb041e9746131f0c62e68f

SHA256
027f3001777f6660bcd200841964f18a4fe10d0d3fb05d970afa4812d0d7c682

SHA512
9458f79ff26b7421df07b02aec4bc8c40c1a2a8fa2475e8b3857786e4b33208e6c3547ddc837bfc0cec52478ff05c05efcc2f6980dc79115917b323320674d90

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9359e2cb69489bb8a05fed9998a574fa

SHA1
4cd37b758cf673d12b6d8441d8177b942fd1c6ab

SHA256
b2bd1f712b4a75dd7fbedfe774a7ffe9fe51d96ed123b5aeb5430beb23c6c894

SHA512
cf77714bc85afb12c7c1c0e326ae6de44fb783b155cbd9809d895562fe320471edd03bc98b6619542d000a29364e27af606d573b458f97643f11c4a4bbdef236

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d5839d2999a35d3656819870025ef14b

SHA1
cb8f83c668f7d6b50905dbec16d9bcc43714152d

SHA256
0bc28b0c0487aacd126bcdb6c4b9dbd3d627b03816907bee8013cf23f4c3a663

SHA512
0f3e9ec5e291208b2b0b9208b38ead42234a2590d6bfb850a3f7f66ab9ef41a9c5bee124ce439f8f17bc617c62da28dd8efae525441af80651671bd29ab66700

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bb6a11d47a118a420d630e9694cc5431

SHA1
b6a7c8c2fc6403833fb2b35ca251dc585ab3cde2

SHA256
c0fdf652a4962f7f41d75708c2ff9aad8f7cec8ad0f6692ee6354e9bd9a9e496

SHA512
b106d3b5fd2c8be7b674cb5c48df9413bca3d7d089d20980519263b93a558606a7277cc9e12e8553d4784e44a8683b93a80dc67145324bb3458c2a9083f2895f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e0f04fc64af2df7cee6af7277c7edf8a

SHA1
0296446fe8954100269fa0dabe193463dad01850

SHA256
5bb7155b5798e4500af97f88bcca177d29b39080a63f07493c5bb1bbcaaacc06

SHA512
d9d53daf12b329ef113640aca56f8192f04ae27b3e279c45f3c944851d891188770fbafbba3f315eb77e4549214bf7a752a21517a241177dd4d9e138aec3fcbb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e0ed51d8f5fd75f21c38fba9ffe28912

SHA1
8811b117f40906bd017fc64bacf8c0d350dc9e23

SHA256
32c8206a7b4dc4e25f8a52d3d29e336799eaf74d8107cf905e5d1ee3b08d7784

SHA512
374b84d423ce2a6b79c3eb7b970bf2eed1292bf6c8c9c2d4ad83860e64c3b9e938e753cf7b0e652f76c9cd8037bb6aa85c364072ab85218d2a4e16b05e52dd31

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bf815373a92631645ff6a3d896288887

SHA1
1a2acdea0aca37372d54f0a9175c573f0c85d87c

SHA256
f18dccbb964698654ba6c0c9914bb1dcbaa8332ed4a2d9e9ecfadb7f2c06f6b2

SHA512
239c3cc6989e0489a9b75696b5fad785d6dc335d9a4a361ec616a98d8a2d53d803077894a8a1de545c1814c12229e3cc275766d6c49a72a9f093331052847358

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0d5b9e49f8652d9a05f91c5990047643

SHA1
11ad5def8163a95b36ed1a58e49895bbc407e983

SHA256
cc79482d66c7dcd4aab18a82e1dd5d4979257f972d1c42fb9aefa542bcc87f03

SHA512
7a4de5b426b7b09341ff35538112c49808ab35ea282f881a16964b41e2b89f227d74c96dfe2804a0e0914ecda93b17367d126e8b23644a0b8665ac258fdec7c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d8134a88564280d16496e3e390f6a475

SHA1
e7601f3ac2422bac9a808a227f1b91188a626da9

SHA256
a1520eac11f641be8951679fb611201877e59a6c19f5e4a0ae5a17129bee694e

SHA512
ee3abfa20307591e8358c57acedc4ff91744536ee2c14071c1d09e795ff1bade61ce10e8783cb2971e7158ca7c3c77eb666f24d9efdde897539f5326ce9aaf80

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
154bdd9d4312e171da368431bc255741

SHA1
28b482c061797a840c90e67fde02c56b29c09c45

SHA256
0f76569fb0a7b362f33be3f1212da68e07cd466db70a35222d9a5ce2023c01cd

SHA512
f74663eacfad3f0ed6e84ab30cc5f92b247939812a22bb792d33c6f56a93b47fae19939489419981166fccb23cbd61667e88f6e3491868e068f358cc1086cc96

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc457f8336d556f8346498125f6c92d4

SHA1
17988584bf666bfbe1bdd01cd5de9ec8be412754

SHA256
b628d77c3f98cbb04e46c54106933355e4ad3d6737d91e32343b8ff507d398c3

SHA512
cb4aeba3a55384d6dad0f1ed8b778ac003527efdbe3fd555b70f00a73954c4003b3aa90e5c0ca5124bb5d3a4e91f6492d3cd43ab496579a9c1874777e31a1ecf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
79acd1f030758ddebdce12ef10fd3c5b

SHA1
dfc81a191b56e3c3fcfa0cd60613f5090db95c12

SHA256
5d5c6a0f61cc974ed146e77d1f9fbf8885d974f9a3bed5539b6aed8032540ec1

SHA512
298323f9118264e1bee87eeb90451a0e25f77e2b6709f8a89a692603dceb511c66c5825c4db64933b5f7828e83f5b1720e82baf99d1ff6d994e7b8e37b89b345

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6f298c082a48f2805aecae75230e7f1d

SHA1
9768dcb75be09c8ce755f1145de2b41b0f152807

SHA256
863f8b0101ecfe483b804390c5a5c91e12ec5f00ed7a621db09103f4df738b49

SHA512
76afebbff15eeb5cb09fb532de610b210a9757bafcd39c14a331005d2afa9ad2de32a9256c9f305996d98a70e6997dd5ae124f59e336c0b45af23810ae12d1e7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a323564eb92b9e9ab1b492a4ffae718

SHA1
ec3fd4dbff1a6b58a03e12fbc6c5070591053472

SHA256
f7c7e2320a40b835704316133213fceb7db387194e175437698c1a6dddbf1c59

SHA512
eab58f0b5c6e1c8606bbf6ef0ec3f2d86e309c6ba13df05e1b37163aef32952ee3e8b0000bc7a4d920ee512be33a36b1bae8c0b6a6cd109b8b1d87b832b27bc7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c8fb11b0684435b41dde4dcf76dce293

SHA1
29275642a10825ef4bfc918adc1acea631b4d34e

SHA256
e4b7f43edb6331467d4d1434ed432950c17e84d48dec293ec9a8e6a2aad582a4

SHA512
7a482aaade12a1128ca856cfcda8495838b3a789d855f2fd847394758cd27b6014859784e47af57156d57897d7f7b3f03aa83e607677c23279ba40f77cbbd7eb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b0fd5f5cd19e5f900db3ed4e5cf7cb45

SHA1
1cd171451f549125f419d96e038e65cc1722299a

SHA256
f52bf8b321d6aacc9262492e316468823faef46d8fb371692a8880f3f6eaad78

SHA512
82723c8c6d6b94caabb0096fd491c4c885c8daac12d4ada71d9ee5a86307b4c27f163af1d62a2f991464ebebe670428b9bc3b45e7a8cfab727bd125220cce958

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8df7472671f342ce90d9984f77bd6c6c

SHA1
1f233606d3af01aa3afe083b3d809de9b4563861

SHA256
c95c4db834228e27f8134ce7eb217c9061fa874ede6e4d61310c2e2ed55c87cf

SHA512
d37120ab7706d004da5a8ba7d4aef3b2154e659e03230d65c22fe4d35b5f331197422c9b8b4008dbc19503fd861836ced1a56150586b8f4cef15cd82cdcf2630

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
53183e17018eade7e72b361c8de92a91

SHA1
1aa990a7402a5c297b160b6ca6653c6a5ae92337

SHA256
2a3d889dcca093c95fa24c91481de0d500ed469307767d5457076fd5635bf546

SHA512
1c564b99b4506cebab87955252d8184cad6bad46c8cdb88ad7f8f14fbbb84444065e7c95661f1727825c803087c926066c1db2663bbf4be1948d1d2c9065e0d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
af8a28d393497e711917022b06fa133f

SHA1
78badb1b89e1bc8b379e9b0d2741a61ab8f18ec9

SHA256
785bd357384d0a384a30a2c475d08593e1337bda9739d92f6d8c6aba7a5912e8

SHA512
433d94d284e8986af30327399d867bade6267145ee5cc638e0bb21f9835e6404cb9ca7a731a61bb2194eefbc008cd84fe3bc266b694f04d36799f2d5b69c3be9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0a06fd765faf1cc026714e79c4b01ed6

SHA1
daa49e967cbdb668cdb69fdcb7d81a5813132c6f

SHA256
5dca9e9258a87494eab2d12c19233621bffc10de6655fcb264d395fab7d456e8

SHA512
0f20f92eec6282a26b072af671a89873da366545de89df86c3695969b99e5b95174634ff1f59a73244be60a17940638ad848bda5322c795149edebe850d3aa78

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
21e34e414cd74d1afee441077a33e0fd

SHA1
eacf6e41cb6a29654d12309c7ffea23c605a1b16

SHA256
0c45e2e794395c1d0e81909baa0b3152f73a64ae6cd57a981f213f92cd54c0af

SHA512
47b92c045bc776328cdbf79b05c288402c19ecc9b3047ada98088e7137dfcf3317d32856790f532d36e47d72c2ef0c9cb711949b3a2e22ed47b2db63a475b244

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3b72b9fec669174ceb5fc0d36906a303

SHA1
a6ba1ab9955b18979641dfcfea6bb3a1b4ba38a5

SHA256
a2900aa048d8aafe775b780ddaa3e55d7dde4d350d54f526d6947617bc862ff1

SHA512
773ad0d2b1d58bba1ce51fd2849f1c1dd9d7d388afc2b37c8250184366c219506adfca1b2194093083148766d168718eaa6d0ab74fefde292c275d7f62c8258b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d7bb5e5a8f7aebb229f51005a1c884c9

SHA1
6f3b05427aab6e10e85fe37b4ffc7aa1d01dcff0

SHA256
540af1074d6cc23a1c61901d8ffe57157b820168f022ea3bc8ee83ffe4cd617a

SHA512
0c569499cb43fbb3a20c6563e394b007bb1c4c435b79627021a187b06867b0544e8a53a76488089b84e4e122717492a501a8ac814ef6de8bbb0968a980bdedac

Download Submit
memory/552-37-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/552-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/552-46-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/552-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/552-61-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/644-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/644-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/644-92-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/800-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/800-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1092-575-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1092-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1116-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1116-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1188-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1188-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1188-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1188-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1240-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1240-476-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2372-133-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2372-262-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2652-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2652-478-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2792-192-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2792-477-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2972-76-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2972-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2972-86-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2972-82-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2972-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3152-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3152-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3208-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3544-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3544-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3580-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/3580-75-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3580-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/3580-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4336-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4336-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-446-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4500-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4660-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4660-55-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4660-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4660-49-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4672-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4672-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4800-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4800-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4800-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4800-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4800-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5004-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5004-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5004-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5004-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5056-230-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5056-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download