42c8ec0b2aba0073b24ce2458dc892e5a64a41684a2c47abe3a9e4581a2fae86

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Size

1.8MB
MD5

27a8322af7d455fc9fb734f8a79b5aa4
SHA1

acef6d82ac1b87320847762d32743098560acd86
SHA256

42c8ec0b2aba0073b24ce2458dc892e5a64a41684a2c47abe3a9e4581a2fae86
SHA512

e431eaf74848a2269cf4e45b1f78bba3cf5c15ce2d3e3a77aac1dfabf8ed00f62cc82570d43b5e2650fe1571e3d748e96301e398eb801f932aabc8993b643066
SSDEEP

49152:8E19+ApwXk1QE1RzsEQPaxHNk+pFzz+/2fNR:B93wXmoKs+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3324	alg.exe
2380	DiagnosticsHub.StandardCollector.Service.exe
5108	fxssvc.exe
4184	elevation_service.exe
2624	elevation_service.exe
1772	maintenanceservice.exe
4928	msdtc.exe
2044	OSE.EXE
4140	PerceptionSimulationService.exe
516	perfhost.exe
3980	locator.exe
2952	SensorDataService.exe
2376	snmptrap.exe
2912	spectrum.exe
844	ssh-agent.exe
1052	TieringEngineService.exe
2968	AgentService.exe
1772	vds.exe
2336	vssvc.exe
448	wbengine.exe
1404	WmiApSrv.exe
2436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\87b305cd590e271.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033db3ed4b9a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ef47bd5b9a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe5216d4b9a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bd5bad4b9a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeAuditPrivilege	5108	fxssvc.exe
Token: SeRestorePrivilege	1052	TieringEngineService.exe
Token: SeManageVolumePrivilege	1052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2968	AgentService.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeBackupPrivilege	448	wbengine.exe
Token: SeRestorePrivilege	448	wbengine.exe
Token: SeSecurityPrivilege	448	wbengine.exe
Token: 33	2436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeDebugPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeDebugPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeDebugPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeDebugPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeDebugPrivilege	1128	2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
Token: SeDebugPrivilege	3324	alg.exe
Token: SeDebugPrivilege	3324	alg.exe
Token: SeDebugPrivilege	3324	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1184	2436	SearchIndexer.exe	113
PID 2436 wrote to memory of 1184	2436	SearchIndexer.exe	113
PID 2436 wrote to memory of 1888	2436	SearchIndexer.exe	114
PID 2436 wrote to memory of 1888	2436	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_27a8322af7d455fc9fb734f8a79b5aa4_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2912

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a48204e1a90b4c4c774da74b099190ea

SHA1
26b920e0e7a3b5d235c54f489494fa7ea854cab1

SHA256
b760637790d20f80af7f22fea04e137c84842ed237ce85d175e8a5e3ccd6512f

SHA512
c83759f9fd9f4549aff5c886da69cafbfa8a60c1a17231b84b22f02f17c012b1ea9a49a2cd7a5d756c8029f1566ec80853da26366cdb0dcd8f70a379ad33bfab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5d8f1681c17fb8175581dbe1b99e09b1

SHA1
a4b0964f02077dbbe982cd61da75c068b8e2e6aa

SHA256
3eb9eb1ad4d5c323a383627979e64c5316e71e40ef34f96dbf3929670cfde4d0

SHA512
582220f915b97a268da849bce232d201fcfc895cd6b0bc24e65162de5f0a3e9b7581cb73a2de42179280354684fefdc54484fadd15eaa49c227d8a00329e2be6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
145197cdf0bb6b256584acf3a5429f1f

SHA1
1d89b7cfd89cc2ff8af795cf712b27f668a79e1e

SHA256
79917b67d6cc4050a51d8ef0363a9d71b6c7e3520f51ffc7bd38289b99755f79

SHA512
1ad670820f7c787756dea31d289bd784490451f2940c07bc659b15dcf04f252d4eea62e4e0d975b78a3f3d2083c49872abad4bb8f6ed4a2f85d22c223c8ee47b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
46d92414129fa40c571d4771e8c8801b

SHA1
4cbe3f405ae53b3772f80a9dd6cad140b34afc36

SHA256
ad7765d52c75b6193d012b1ce20db32f4a5ea0b7b1518cbe0fd48a1de70e47db

SHA512
7307d475b587e87834e33213f38470ec9d3a60379fb056f6190a0b7fac752eed6db06b2cc4aa24d51ac4df57ddf198957eea9155c49bd7cd15e95982a29165e7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3f2581df1f8f25c1f8e2e2ea4d67a863

SHA1
94e3bd9a77bdd139f42f8c7ecbb578fe1bd7a4bb

SHA256
e99d55f33d17e18daea4f3770a92d2d2053aabcfd926b20565c3dfa9d9fc83c2

SHA512
1e7ad0423402aca36462b267f56ab1c60a167389cf06abbcac3786e1d3bacf1117a151d8e05133bcf6fa0df8d4741462399cb65c9025f8691c465a463f072ed4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
84e3139f49908e9c789f6c7f57f2e6ed

SHA1
c9ec02b00a20016aa228dfbdbf7c6dc533353796

SHA256
46e355dfad73d569d5b46990615c5baa6fdef852d507e581e8bebcc1dc339aae

SHA512
ba3da983ecfc22761204344cdef11226028279fb52ad4b6f37f4161ac0b3dabec1318871b78d3746d13a13b5e87157f03fd3d9d900ab75de7a153b318996f9e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
728cfba2d3e9d4f139eb7d1581cbd53a

SHA1
55ea572695400cb1bcfc11bcb4e4493b6cb32931

SHA256
30a07f898224771cd158c6eacf3a4abaca54fbbc3c0d90ac4116e51d100a5a8d

SHA512
4022a40078785058fd78cd8bef4a5b0164be2d7481768a77ce4203d081b961d49b494ee92e1a68a6783d2500fd2c1f0986d656bfcf947a0f73302abb61418b31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ea584326680d0ae34e9624552425e4d3

SHA1
4b45483ca5eae5533de4aa8872e71c5b1f5905e9

SHA256
32654fb9dfe0bc781e57d643b3d0bfad28ffe2f81918477dc4d08f3334147b94

SHA512
589f660f765efc15c48927a4eb5481e5a6a67c70f088ecc1a10b36e99018feb735f87ce614fffbfc518e3ce5809fd0c6faad4c469ce1729ea5b7ddfb0b8b53c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
98c2d0204c40fc539dc08ef750238254

SHA1
0e0f9cdb40313100f8d023f6da5cb8c7dbd10a59

SHA256
34164194ad56be62bdf817d27bb704f4924e1e396489f6dbd851ad95bba3c42e

SHA512
d8a552cdfadb05f551d0e7597af2a6b769deadf66569b0620681875bb622dcd626618983fc20432ad1249d85ea684e97a0f26c3379e3b6c7238d10b79e597b6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0317d02b0ffda72d213eb01e9239e40c

SHA1
5b058e20a2f3629aa593707ab459cc3c7b93d895

SHA256
73e1aa420ff577de06af32cd4dea3148779765ff05a92e0b7a5b3d37a13dc093

SHA512
e3dd64fd0cbfbaff10e1971b9fc99f9e243a17bd335c210d6a49b3e9bb95e7b3d6b7134addacc2bedb655a046f448e31c4545f0acff9a2330b74ecd70353df8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8210aa28d5aadaa94d4635d49cfe6b7f

SHA1
72dd9394e0e15ac36ba76faefe972c77f331cb31

SHA256
498100fb39e3791767bf05b702993999611b61cd8a08e066e72aa67dad9ac628

SHA512
1a669392ea6068f08bf17f2c824d149868d251be1ed0cb0125e343732d5b7ad78319af4797347b29dfcd1e8a375a8eda3b0a21e94e2abc71a8c3e8ec1550321f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8c5b4dc1c1b491d01fc273eac2984e61

SHA1
75874e23ad600f8954581decded23d30fa584479

SHA256
796d42699a141bb61611b14d2318b7bd331fc7589545b69c69cbba1f3ad1d0ff

SHA512
0d15db5fe9d8079f422f749f765a06bfbe3d725efc134bf24131d6944a9f778683a13b1554db660e47b3ac27b7edd5c1b74c0f86c4df4bea0ee8ca07c2a3c665

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d7b2b6cd53319be67fa660b44d406144

SHA1
74c54475a2877ef59619979a5383a18c4db6aa66

SHA256
73597441063e234b835d791bacbf664fc63be6bbbe694ebe002d86ace202f614

SHA512
bfa064222584dec182b7ae439797bd09b36b3b42f3ab149195ea11127a4fec7b17cf7677d473d4ae77f9439906bfce614e232384cfd7457759ce1756af92877e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
87cbe71f83572a1ccef166a09a71a7a1

SHA1
07abfbe439310e45b2e1cf28e5597460760cd2d0

SHA256
fca6eee44bf4dd47a38aff5913f3e476c3629f6da8b466a4aab6459ac114c1fe

SHA512
10af91beea2e0b1b79114c3b92f60ff5df9426b0b4a118a80646cc9bff56c765f3af1fa53466cb4f6e17db8c9ae84dbeb5cf68d34c7818fb398deace5f4981f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b10245f7800f00fce3384ccbb9f5ae1c

SHA1
8bcfb23dd073b6569a13a51c7d2c53e330eb138c

SHA256
fb97ff1772be55ca7f830132a6f8657d9daf44ff30d8a29853f37095bf2f5787

SHA512
e913b76a3c976a49b42461864f791de1f3a22b4c1a4705cb20e4b6ce994b982aea1be2f04751ac1a43d6e77bd8bafd5c400da0d7f6d71239c744dbdd55689e75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6b55dcfd57353ec2c0aac1901c7ac1d7

SHA1
8aa9923d2eb0dfc0de7e8d7a75efc2523270a901

SHA256
e65791ad49fe2b8f8246b40923d84e18b60dabdf219f706459164042c1956208

SHA512
3e7ddca26da6f6e17da46fd2db26eda94f47e27297824d63a30924051cc93aaae0c58e2bd5ff659ae2f5cf5678b8a3d1b626db49c1c6e447271df61a38c1d203

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9c0fa2889c84c49a70377bf201970753

SHA1
e9fc35005f4aed79ee4a2fb0fddc65440ae8c29a

SHA256
16cfa54769eec5958ed275a68125813bcb131d74088eef9bdb7dd2886f955c19

SHA512
4c99696461c2d6a445a8a85d9f06df4e2a25a47fea1b48cfb74917863dc267031970727779311a88a9708c4e8fe91e7ee5dbb5cf3cd79ea67c949b8d29c209ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
756fec26f42cbef4402d1fc63f28f53f

SHA1
7c5243b012beee1314b80dc041505489693b98ad

SHA256
8ac33fa91d827eafbc0eb69728b4df11fa3f8522ef0db2a0d8ef0f19645c7f93

SHA512
71287caff3267d1991c8376b07fb83c5247343eda8a354832f42b0388f395bcf62ec3792aee7c735c3f60a37662b43e89959932c9513232e0c6c2400748dcbf2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
becf9839320cd75a61221532f88b172a

SHA1
37b4fede20b0dedf49afc0154440238a35bbd818

SHA256
e6289560ab7d3fc4dd2a5add15664dbf9fcc18d7ef863bb6937906f2858d9024

SHA512
31c1802f8473beb892841bf957138aebea2ee48b4e717fe08a92872ea2e4412e50e27ae0400a12393851810867e5fcaaf800ecb5b4c4e5355413ea7c002a318e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
91726521ecba13b0c0b85c30abae90a0

SHA1
44e5fc3eada999dd16178d3644310839565a5801

SHA256
3eca4b6cb7d916c69e0f87658bdc828941783a5dd72fe4bf0d195dc9087bbdcf

SHA512
1377a5aab911d03b8833a7581fe86cb01ab046b7d682467a345ac1dbfe4f9644a956b124475dcd4ae389f27e7a4150710200589043173a77dffbed0aa9548084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7968f731bda7a449b4ff4a8f2bc6ddc4

SHA1
dc11b85f114bd08aea85768ef7f0686bba65c5c5

SHA256
9078db121a11e9a76669ca19ea5ab7aabfbd51bc4fc0be245a93bb0803dfc4ba

SHA512
5920cf40d648274babe8f8f92be79dbc3c6645f95f59bb2f98939ff4fffba3ca68b8c168a6590e030c679cc92804a97b339996c2a364d02ea63e2367d43e14ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7b6d9277292fb9a54b85bc9e96dd1179

SHA1
41fc1eabc028107478b130aa0c63ea705e2b46ef

SHA256
e0afe0235cf4d25cf2e93379035bf113105a93ecc4758cd23a00bf1f0dbb96ee

SHA512
325726b11a7f8da9bcd018b3087c9925d120d2ac9b46144cf4fc2033d97f19d6944fb5499a7ead6b665653167f6601e2f33d0c712fae6b7b5d26147c71add2f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
45b762cf86eba6b4ca465c12a18d18e4

SHA1
75cc60ac877176e69a813698215435e9c7baa41e

SHA256
121db1b2fc0588cdc6110fac26985eeecf476007b3044d1bb6387018e8b7724d

SHA512
e59ac27c8f4ccab65b5e1e72510280003a10f9196894a1e513dbc4444772928e7c89c30fb369ed7ebe4d30514a391582de82cc9dddd6816e9156e20370ee148e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0b9725a3fe44defa64eb8475e87e507d

SHA1
aaf50a443b3e830c8143e9fc4a436307f69b70ee

SHA256
d533c15b5dc4d8a52239fbfc9fee61188b0c92ab10843c3e1a9362d305688f52

SHA512
ddd276797ec5b9d149b0740230e81b714de94a929ecdee6c1f8ec46cdfbc7ab055850100b9f00eacf474d65e1826fcd02a5d690590f87021414a23dde7dd648c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d96f3777340b8b3d66e57c48e97ec62a

SHA1
15e5df3196f9945a1637b27053fc8ff6dc7bbc80

SHA256
f618c10c9a799f65551bc385c12f15f9e4a440a92fd0de4fe3aec4cd6d7d533d

SHA512
34a896fef2b414dcf88ca52cd3fba2451ce9fe2fac5d8a36dc182e413be80c65bb9139611a1cd88ad708c3daf23450af24b48ba274983144631937885908ef7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
87d1b9ee97fad010beca7ef50fbe1d02

SHA1
46971e19050c4c9fe8a2f61237ab53df06ea9f94

SHA256
adf947aa0fcef83ab94441a1671f6b51a497b50ae8222cd8ed39aaf71ff45a41

SHA512
bb57984e5a19829fe992527f76b5665e4bdf19d27bb8fe132726ea811fbac320701c23e546380002de5f13435f6b09cda996af5d14dcc44ff4551cc3658725e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ce872e322f858962dbcfa0ddc802563e

SHA1
5bcf3bd8015ab1b3fa421957c58a59ac7656d79b

SHA256
c391f772614fd11bfb7922f20da5df3f83a512f93e36e047de701b13cd6cdc67

SHA512
7e32c3a4624c4b6a89229eba416572e69bdf2d68ced7d2571881a36f5f527fde6340bcfa4e817ab8aa017026470eaa2db40dc9203e4c66095791993ef19cf5b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a6ece47fac43d77e94a3772f068a4964

SHA1
6ea696fcfd24e26e34ba256266576989cc644473

SHA256
7fc9c1d20be83efe1bfc26cf68848c83a775d22a4d799d0d8e073f98dd3b1dd3

SHA512
6e5383617113b77e8d0d90768748c58819047170723d5b6c03424a3ab8e63ccf5cc0fd69c088d2f55125d467e1b95d6acec7b5da82bab922a09f2b77ebb8781d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c6713ab0ad346f2007ceb9e0e82b0689

SHA1
476522afc220a773b6e16859153c80b17ad23eba

SHA256
6fd87529faf8ec5df050aa53f55963a23ddf7a0e38614763a27843072bc0c981

SHA512
b22474d005417bd09875a8da53574e59f08840a5ac6c59e68cc4cba1ca8101d6c888b68dacae00c37a8ef496979e494dd1cd9575ad9c36e161ba347387ef3b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ec19dfab30246f73afdb91cf12593d8b

SHA1
8e8eb0656755f0b82f4d54f14086c77e20871237

SHA256
92844d8b6552116c57d726196b23758355ee7c11fa79a806b057d4c553eba088

SHA512
1c0cf34a86ac170e81577dbdda8d23bc88df105a8bab3968a24fceecb6a23186e8012d233e9d58b85e830b3b11101403751bbbf08362ad1b3c40965c141f361a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ede2318bc33314f784eadff8534a5159

SHA1
9806c025f51e72fd79784fa34b43305805fd27aa

SHA256
6e46c41689eb119cc4945ac4c47d2041d831d8585511eaac3f4e00947dbeac8f

SHA512
14023eed7474bfd5a39a7026449363ecbaa994415fcd924bde4c14b682d4300de58ce1f76b2907124f569670a0f55db880e40edc3b319e5b745ac41a578b8b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cee6828ebf58ad641f115fb25488664a

SHA1
48fab1b6ec12c63c599b9e6cbc6133caa8d35b42

SHA256
e222020b800fd804dec7b3f925c7dde267b7eabece80a368ca1527f636968903

SHA512
e5a8da85c67782798c168d637328b209738ca3c5faf5b9cb1ca2d7c7eb7507c781d49c15b2026287d2213acf9bf53bb8c0c5a6ebe390d427993983999110a201

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e18a8d4c0c02b0be015ceb623f59d69a

SHA1
6b99c6ffefef8a9c45f256de327db44cdb527e7f

SHA256
bd2201b9f47b352c7005e71c2ac2129d7a68d7bbcf8727a70abfaf26bba22c19

SHA512
d6d80e13c7501337830093435078e21dd1e0b081847b626b704460896bef5495391f9d842383d7eadb3cea68b3fd5115b3af43fd15683ba8bab3412a8bc94265

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e0683b6e04ceb8cdb210073df1531299

SHA1
e0159a411da492047e58ca6342175543578c9ecf

SHA256
b0bfd196149624fc60cd094791db029327de1902c0ae4d498556bbf5c0a14f57

SHA512
58f663e6449736f72bfd2f49fa3cb6de1aa67b0136127a3ee9db7b1b7112e291667875edb101e0dd65095945b67272d50bfd9bd0bc180d633e0761ba186b266f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1a0d6dcb8c9b21380753ee7af0f463fa

SHA1
55495cedfe102e5238fbb755cd228f33d57f7d51

SHA256
2b8569adece26b35b478bb944fdb4ad1d6352b09229fb5ef440bf49bd13a9bf1

SHA512
2c686d72d055c987194543bcc4ba8ca50dbb17f0c242a721559308ef43c89a79916c3d45c951384381ae6a6090b1f5359d3d706ea8678032dc21471f8ebd6d60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
43402230553a154083ad3679e748df94

SHA1
8b5dbc22c59b8c716b8c06506820951cf9217bb9

SHA256
31fae230b472793c898e48b717fe9d97e781851f5aca17790d266d7fc129c93e

SHA512
e016b73e90d3d60c4906762a13045802e764d41e55e13ab92732e561bfa9c1ce835e932b825967b9e9dbd7a0cc096d1a43dd68e7555126e30965e53b0512894a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4437fee87dae7e85dc45d25735de85d7

SHA1
0fd7e81c7d8b73603f9315b5e56da0559365d0b1

SHA256
90dfd82a2f7d03ea0b169fba8f1a4f593af18bd309c9b044c1e0dcc9fa3ac838

SHA512
53d9fa2af9ef6b1ba60738e0d94c85a7e0a6fbb21628576f7c87a471870d8416ab2c3ea89b216df2c92a6eea72fc60a72a1fce8f9b5ba84e66f6c0fca378d475

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0bd8f357d1aa96aec18e61bb69f87ae2

SHA1
7df31f75f2a933fb1e78a2c799ebb7765b46a12d

SHA256
e2476be22a144e7040fad05976328eb432da4ded9589808fa5d64d47d0e99d6a

SHA512
e4191f3ada26da58332433590280065761db9e5d6acb190c6ef74e18318d03f0e95b5790aa1e8664028acf33717f8d4adf4ffa45cf49b798b686c3b58a62fde8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2bbaba6c12f1d880953f80b26ca0c34e

SHA1
187d20a7c092c5b4748017042e197ce4e7b051da

SHA256
3f9c325fe21a04534033c412c6a2d2e67fbc37258796a944d5945951aad5d4a8

SHA512
ba032ef4fee2e95e43203916d1f3dd69e31f2780ac2a1c75631215e75dd42c796e712072f5adaab409102b038fb6d21798b4fe0c5d41b56ea936e0f01fe5e125

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
928174a63285aa7682787fba682ec9cd

SHA1
611e2f6869d276ca200416c88d005951a9a2bc9c

SHA256
96c6d3c8497f0178a9f2fdbe51ff77c85d6c52c432ccfbaef6e9a2bedf12f3eb

SHA512
135b2d3ff9ba0873013dec5c99206cbd126a71ac258186ee273b953cf9745fe61ef5e2526516957ce6c8993e19273450c950bbe6e1555def1fc3fa67a0f3076a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e21b6e91aefe74951fe723a35806a323

SHA1
21f1d0d871ddfdb75b9c8e1ac5bfe80041bfbf00

SHA256
23736766a0e67175e38eb285f34a36320604b5160e7332b4a46dc597ac21baa1

SHA512
c1e714913b719ce4f540e614bd9e9c6fe936b4ca5db99c80c4f2ce977543b73764bee86d0b164fdf56575c999a82a173cfbc4a25f0d09ad517e853f061b0d4be

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7551827f81cb8da5f5123fee9d15f8ae

SHA1
3aa62d88abb4258b61e45c213de4b4090c155657

SHA256
82bd156ed7d009d82d50c3b98fb92a0d7411ca5501e2696b9ef05fc4436217c1

SHA512
6a6b863e51293e4e3583e96b226fe8262fef94b3b5f8dab259cedf0bcbc9c884054e3817659104294855b854968eccb049269d423e60ee25f062065e5de943dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6285fa1ef52f3f6478764fccdf0247b6

SHA1
6ea951c6379f2ef5579d6481613d42127b88df34

SHA256
e6528d88b3fac1a562470b04437b7c1f11819acc57126bff8e74cc918791a683

SHA512
1aeb509c0c3c77f8e2b84704598dde15462731005877751211a5d9d2c07a3d20edd92ebaa3f0b909154cf0b179bb46eec3446267ecb04d936c8351308dede734

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6d3a3085ad60349a6c8635a4078ab3bf

SHA1
4a77e232e21ac2f05266eb05c98fa8208532d6a9

SHA256
745d57af526e6e6fb3146f8acb034941e0a26b8a0eba6d0eea41a1931c9b88f7

SHA512
2d92c66333efd9350e0a8540b173b128b0476d4c3116a3df0744498025962a01c4dc751c10da98a1b8bc0c9c69ff614a24bab3959c502c7c59773c62c23870d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1981691a3e05f99c18979684bb3c4acc

SHA1
b11471369c5a6858769dfa0f7b17c7a569a3e352

SHA256
e8cb1e3ca1f183d1356e565e8e3b345a3fedc342daf3f7e3d398a158005be4a1

SHA512
bf3d8aba1c19e3254a1c667de30a892926d6282efd565dae85c842186a1f26bd9eb88a2a970e4e49ac8812fc0730d9d0f9b90dfac91a0c32fc39c4bb81d17052

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f1671a1f695a7c911edd4c145c4fb16e

SHA1
01e93df11efe00ad0cd212593acf827bd59afc7f

SHA256
4b5b63fdc966309c3a321cb7fbbc71fc437ef03394879b5ffaaccea465e3d3ab

SHA512
dc27740f139c6defc8e76999f6ba6ba499c5ada0c1b9f03563d19ddf607524b66e1da6c5842988dc8341b01ae9b4e3e413d476a168930b2538b18b12a8333641

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a275acd4abb2439e0f24e1d14784ce50

SHA1
52a8e6cd6da0acbc7f8c51685b6271ce3d9f66e0

SHA256
307060438c945d9abb91f82a863a3cc72f56bb0e5b6b931116643eb37dba4a74

SHA512
19f1c76c2acfe699f9850b246deab153a72ccee1e168e827ebec336c03ae19c41825070d25ba567cfb5f97d4fe4ee2e8cbb1b153628280ea7f3690445807ca51

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c76f56235b9b4ac0991e8b51ebbbfb39

SHA1
3025fdf05dff5b794999ee5ba63dd4820e6c8138

SHA256
2665598b0c8f84a9492d8bec2f79975195e49cc7d171f032dd7c24e8ec96e75d

SHA512
784d9133a69e3e198e14d4b8e7e84636aaed4129edb876a62e85116378e0fe6360c9e56b0ee7f15b1e01e58af5ad402bdb17e302c1279e3858fd7e80e086b2d6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1bfed0f25530921b80e322493cf5a533

SHA1
936b929133f28dc5e8a3372fa22f33986d37151a

SHA256
6f06c1b8d28a9eef05a181a73d3e7fa344e1beace45037a84f0bea7bb755de52

SHA512
b29dbd949a750d6dcc3711125eead9fe36b4e5614e75a1e442d9644f9900dfce0fb943403ad0e6202a8bdca2694feab82b22e4c872fae2bc2ae0e02daa80a545

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0116cc949eb1cdda30c25e3b4d670dc3

SHA1
984a5b2d09decff0589960e1fa8a47244bc86d84

SHA256
b150c07400e3e5a89d60d7b4fc69c7509ab074879488d72a40cc26e860400928

SHA512
4a4c306f6d053c7ea9f65c0f60e821efa8495af21ae6fa89a7249fef9838454fe649dcd9a82569b56903ed5ab4e39456b6f099516a77b055f74f4995047f17ac

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3673eb6b5daa118d18f245c6b59038f6

SHA1
1f9017ad5da741cf6d6d912ad2df1121d22674b5

SHA256
1a0846888648a5e3e13892611790cd1e1617ff44b1f877913e5d4d50a6db1dc4

SHA512
a58e47601d5d882f6c195530a30d8cb4571a18a6562dd14fe0034c44284d13f5be8a26e7033abc8fef333458473775b289d4da555722d3c18802552ecc54944f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bd07adae8c736167832e944f6c9e2428

SHA1
79828053612fe5859497528920a8b340c1e38065

SHA256
c6be57599960c15bcbdb1796289d220f4fc3e43414482ee2fa3be63591d7ba60

SHA512
075fbcf50ccebd15debe9a355827ac8d1e7f79313d70de635c0533ea393ab8825beaacc4e1d2626c8c6e343aa5102231069841feb40a8b047e54327c494b5488

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
65fd5c5fbba7f975bdc7f903c05d4516

SHA1
3dc4cdaeaa43a33d976a259bc2466e1236db21b7

SHA256
1b5f9fca4cc37054f19f2ee08fc02199c77e98adf1f01373ee7f982d668e2545

SHA512
627c447d12890efcc74e27157c095a3da54872dea3889dcb2b12c0ff0c33a376b51144e91ede57f756ea0bd87691bdee9969db089bfa38fba54efae87f62f984

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
38f623169a468533f6aa690b6a887bfe

SHA1
926c2a0b61041ba2b406f15ad30354054e207108

SHA256
f5b81873deebbac65b4eb80faef3ebb9963f6bb83157e3a4a5dc73a2954006bd

SHA512
aaa7fccce3f2497e18d579974a1507fc636e19b1c156931c0f683818cfb33ead8b63f114380238094ad4ca68ee5ca0b867518a697e028675a5434dc8c57513cd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7f2dd42492c123e111e45796c4dd84a2

SHA1
a8f94ca083211670135897b35b946098cae7b2ed

SHA256
d0a7ed1fd9e4e58ee3b55ca07de222e714ab8c5b11b4f5ae220cc95001119a7b

SHA512
ef9399904d2a67d905f8f2872fa98245854c390a8e12a72a2c5018098cce1ee0bc66c63f3789495c16a72ae4cc3b36a450694e6e2939bda2a4ffd493901b4fc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2fea440b83abe672a5abbfc860926a5

SHA1
1acf663801448d1d6506921b441e61a9e97a6014

SHA256
b79f6b9b0300bdb8bd5b7609e7342be07eb489d5bb4c7f0e55e61eebed6eb193

SHA512
7d84cb046c924b224a44aac19b2b61cc69d8b398d3d27b82e9e560a180f3c09d92fa7594d6abb1bef1bda56b2225d5b5a5b8198ea727b1ce420f1d7e537caeb4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
854f407b7a64492d0edcde035d3f1a00

SHA1
8c1f1adb671984ca62fcaea825f62ce4473fefb6

SHA256
d3e52b1c12457411efaaf47c5a17fb7a914f5d36dbacba2aed01803cf44341dc

SHA512
345fd8fa3ebd33e279d48f760204149a4a9c941739ef63c32a0bd751af6e428d953e66ea80c9adfff58ed6ef7284c7ba806e2c5b1495cf6d665f63d994669e1d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0a324b89d14394cc7f242d56176c7f24

SHA1
2c86450e6cb7f2470b223715b2e52edf4ac45d86

SHA256
be0b0d00ed07b2c890ef1acd4895a53a921adb89b5e15c0733ce40d506e37c28

SHA512
f252a63cb024707dbff520cf1ad6ec6f28d7d5fb91c85a00c60e791726e15d9698614b420a60379cb6e81b633663dd3ec84b645b7c31076cafadb3a95c0fe576

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
65cdc5bd18ed71c4c5ffd29de1925af0

SHA1
e82d5b547f06d1e395215f6101536fff22503d04

SHA256
fcb4a6f7e5e8597dfc0cede0bea144963dc2440ff5a03d7f0b224d41c3406184

SHA512
532a93f13e2052607269b10371e90f3e7aa2d16e563539f5ece876ba3dbf323f7ab91dec2a02243e59d472ee0ff169c8931d3bf4832c6ef0ac51d35c893e08cc

Download Submit
memory/448-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/448-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/516-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/516-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-584-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/844-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1052-588-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1052-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1128-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1128-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1128-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1128-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1128-104-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1404-596-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1404-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1772-74-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1772-80-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1772-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1772-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1772-590-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1772-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2044-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2044-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2336-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2336-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2376-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2376-443-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2380-35-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2380-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2380-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2436-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2436-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2624-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2624-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2624-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2624-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2912-503-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2912-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2952-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2968-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2968-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3324-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3324-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3324-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3980-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3980-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4140-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4140-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4184-52-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4184-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4184-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4184-59-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4928-91-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4928-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4928-85-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/5108-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5108-39-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5108-45-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5108-48-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5108-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download