07ff3495f2fc39b43f9e965145d4b2b1d398f6ad634df7e8e45a25ceaf547036

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Size

1.8MB
MD5

f6293da60bad1f75c358fde5a02cbd29
SHA1

12f1f2eac1993f65228c5ccb567cb311695ec01a
SHA256

07ff3495f2fc39b43f9e965145d4b2b1d398f6ad634df7e8e45a25ceaf547036
SHA512

bde1b3b0b9fef290f75a95cb6cc5eb5f44c9b9e87f2dab2ac8d0d4e3e8cbe6edf18e0fac06424793c33a6a71393677034e24624ec37965b1da77cb5f48b281a5
SSDEEP

49152:TE19+ApwXk1QE1RzsEQPaxHNTgDUYmvFur31yAipQCtXxc0H:093wXmoKuU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2500	alg.exe
1208	DiagnosticsHub.StandardCollector.Service.exe
1948	fxssvc.exe
2000	elevation_service.exe
3744	elevation_service.exe
2328	maintenanceservice.exe
1692	msdtc.exe
5044	OSE.EXE
2080	PerceptionSimulationService.exe
416	perfhost.exe
5000	locator.exe
4076	SensorDataService.exe
3044	snmptrap.exe
528	spectrum.exe
2668	ssh-agent.exe
2936	TieringEngineService.exe
4612	AgentService.exe
1296	vds.exe
4564	vssvc.exe
2856	wbengine.exe
1108	WmiApSrv.exe
4900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da5b79c2293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f28cfa377ba8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9d86367ba8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abe28377ba8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000429540377ba8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9e08c377ba8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec25ce367ba8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bb27a367ba8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeAuditPrivilege	1948	fxssvc.exe
Token: SeRestorePrivilege	2936	TieringEngineService.exe
Token: SeManageVolumePrivilege	2936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4612	AgentService.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeBackupPrivilege	2856	wbengine.exe
Token: SeRestorePrivilege	2856	wbengine.exe
Token: SeSecurityPrivilege	2856	wbengine.exe
Token: 33	4900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeDebugPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	3668	2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
Token: SeDebugPrivilege	2500	alg.exe
Token: SeDebugPrivilege	2500	alg.exe
Token: SeDebugPrivilege	2500	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4580	4900	SearchIndexer.exe	116
PID 4900 wrote to memory of 4580	4900	SearchIndexer.exe	116
PID 4900 wrote to memory of 2512	4900	SearchIndexer.exe	117
PID 4900 wrote to memory of 2512	4900	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_f6293da60bad1f75c358fde5a02cbd29_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:416

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9bc40f96bcbb779143805b105ee4b4b0

SHA1
cceee684b5d8a72b9b6d24c56611f8c971a7cb8a

SHA256
7a3741c61090450bf91e7f5da36872acc57e2860752d6a8de3edfcc64f3a4c68

SHA512
4881799f8c4ee8b65f6f66797a9b5db56b702c912e548a3a7e01de49608394dc6a23ad5775e71913c235b61f3477081b4f1d3edd1f9192aa639e2cd6d32a0abd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
7bc99b30995b2f3f5d323192e485e1ed

SHA1
fedc08b0467d5d32f559e44d5622f2d66782424a

SHA256
f61ac84a43964d7e5f8c17808cb7fdbe3ce981900705caf7fd95f7cdbf194bd7

SHA512
90960a1b7e6f980f3e5191e1a9ff0920f1a2ef667733845129f022137a39c2a167c8e2fb06b94157b29d317cf913cf865f6068b02928d6727e727abcdf4863a1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
22a5102a66b94c3bf8672938f526ffc0

SHA1
dec60ea5ac1c20847298a85accb015c37483ba30

SHA256
7ac0c172a7d8b606be4c4e9d1e8fc9defdab755d929b1034a41170fc457ad777

SHA512
1e8cd2842f47cf50b28fcb41b51fa06aa272529872702bca8fab5267f1a00bfdd9ad43ccb6a0d8ac3f8c70935fcd39eb7abce8f374f88b01e2ff96ccf1d16ab7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3f8c9af5c9c0e1f814c9417fbc841959

SHA1
4a38d74e6a1a485c10a12e44e2038952e950b70a

SHA256
82fb266457ce1d91f28bdeccd32e0a092d8a08b18d7a4952e36f97ee8e5de4f0

SHA512
6b678b51885e6a17ffb3e9c1719ccb25ff14687ff50b79b4692b6314d6e4bfc1f50cb7c9bc36d653daae5a6a0a8a490a21ff78ad4669d1109118abffb5560157

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c85e80a4163f164503e2c36700167343

SHA1
03a35a24278576e02a6fffeaaad5e5807a3bcae8

SHA256
8840abdc3423ab07faee572031b98504486ae39f1bc17f2592f657febb836337

SHA512
94490bd4ba9595fb2de4d1f83c7021d54750c317380741c9a860020c85cf8873f52f18883ee422f5d5935b0cd81d892935a8b45f87f5521eec8e12c528a64457

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
2674b98e468c27c9481e646825ed0bd4

SHA1
5c9b4341f8f602d1abf4164529d841d359c27496

SHA256
ea3f7b25c7ee7089291dcec63ab3b622acf9dd7d6ae1a33b59386accc45401fe

SHA512
4e42fb3b2f9676f619db85f63c9daf9b5c19dab19c4e547a7f689211d7c7b42f8f45544ab3ce26d2b4d03c00a3a8b7f4b4c193f6d3e92ed73b2e0e3696525042

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
407fe2ab848a34eeecf750c8daf2e5c4

SHA1
e3809d79de698415854b05d7734b0d0229bc642d

SHA256
d9196e93e81ac4d487f4d9ff83b6efc6b1341394c1e5fa4c988c44ca86b236b0

SHA512
a52449e33c59d4f844fe09d9a1423af328dabd772d071f9d73688e1907576573407c5501a2b1969a22050e8976ba86170b18f47e0e4e50c29216f957f9ac68bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b05c9cd1deb9cdca9bbded22a9e5b774

SHA1
9b8bc626adb646afc84fedfb8501c75b9a1ee242

SHA256
12ea2034a557d8825c4808f693d5f259153ccfe57bc05e97be82747aa2a99091

SHA512
c6b7fa3151a8c03f1195a6505d83f22ba2db335244258aa6c56691f46aff7249c963b343c9297070e7bc39dd6272420319e7ef0c5db96c4f92909c6baeb9372a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f4fb77ad21a5acfee0f26035f4580fd0

SHA1
16f03c8fba9a26e2995ca221af797b1a850ee8db

SHA256
313f75bae1604bbdbce0abf2cc2357368d2571e23787df28994ae0fb7d7f9cc6

SHA512
6e2504fb7b5d674b6a7d0da31b4c75b885c63d422cc7e22483cd2783363f28333d31e9a1b5ef4c557709beb1faa163ba27c261723634b91f0ae64fa21d9f80a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
77c5f350c06f47f117e10cddbe7ccf51

SHA1
4658e19f8972922253f19aaafb64e74d39e20506

SHA256
b8c17675c05a3eaa5a109d05f9dc4b0d9536a4e51c58a8b753966fa407e6f87a

SHA512
9ebe0d7a231130014d51c3f49ab2b58296d53fec02dc66c5eea820eda3d983ac0dbd93d5e491c2928b904292ae33d71c162492942f6dc445944d7540b4ba0555

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b22287e955d12960f4d592673e9e8c52

SHA1
6e03e0b85366819e7b189c84c3692043054da946

SHA256
3596278e88a0de9bf1974fd9cb6d29a9964c4701f6c5607aa93cc261a82e76a0

SHA512
5d933f23872844cf1ec95e68f2b9522565f9cd941f36dbd4ecf2e46058a112088f9697a533f3b057d322bda12eb677f701ec4d447b03b9784560f2d1ee10042c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
30221aa1240013e5f2e9f69f92c87678

SHA1
a9de5fd4ae65c9affe9bee33c6c135bfeee7028b

SHA256
c6967daaccc79f3b47098b5a9755b8dc67a75f2320c75894b4141abe8e9f5a1a

SHA512
ce1511560cda32b8872b7a993a3a042c7724ab92fb7e16743c4a0e5419d61d6e9c254b70c63cff231fdc1cbbf67c26a5b7f5f307359e6351bf3a5fac1eebd386

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
24e71cff5d82fbad5ffcb317d0fbc0bc

SHA1
1ba5dbf8a5868967b52d77e773c23ce73e07d02c

SHA256
33ac1cf779822b0c424cb2082aadf0e061715b2d0d29fbbaf887ce59e364b427

SHA512
9ace385b4f2a4d874a14601001b3bd96bd024db98ca65c39d972bb6992f446a91a8d6cd2574534860694c674ca8104ac105fe798a88cd3fecfd2aed0dd7823dc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
bfc5dcd64805fc513220db9fe1c6cad7

SHA1
ce7fddb08915812dea6b9711c21a93db3f639c6b

SHA256
bc378930d5166fb5112493fbeba0755089d3ef1f60e66406180863cda9b89598

SHA512
b1f5ec58a89623b913d13e6d6a24bbb00acb0639978c855a5520eb5ca4a7ac3aa2cb72aa2c85472bcc3ebcd499dfeb238341c1ccd1c195f8b484cef589e534ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1aa13f449de8d7550c458e86a5344938

SHA1
3c63c4ce524ea6c6d858822be0ca0ba2f3bddd7d

SHA256
90283487584aa87ae8dbbb5b21f8234b56c3df0e61580825b40a871da33287ba

SHA512
2e0db73e3151a32d31511a0e405e6f235272d13d7cb20ec35e46e42aedf56edcd0d2227cff08834594bc9edcb423f33dc69313458e801bd154f85e36cace2cfc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ee819e771df54c8090888667e3048eb0

SHA1
162a944330af9e12262e4135d1ebc4c7743e90d3

SHA256
6a6110f8d0172ed76d17d5d40bbb4ad72c57f822181b0eaa3411795962850b0f

SHA512
002110fb8585dfb9af86d543b9815edeafe23e8ea54bf15cd0fddb10f858b2b7298c5c60f5c452c9545fdbff6cc5059a6119b609ae7455a4abbdb0190ce3ecdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6395ae60e85bc30280b8b2a74003e003

SHA1
cbc09740f0717594d51b0fb17b478480106e4bc1

SHA256
365b54d748fbf5490dc4f976a3225ffb3e5fafc47486af97d6cde134ba17c417

SHA512
899b517cda177474f4e392578a74163cdbc348ae42b480ce5ffb513a4c86d5705569f3894a7567fe1832e321f0024e95c42f8cfc48cb650e061dc2117d8986f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4b0c01f700840a46d5db6b1e993c3293

SHA1
2a31f4ffd8239b5542ecceeca1dadaa0d741a0c9

SHA256
7e1d489f3455be897d9a4eb048ff251c387af2ea4d23e6ec8bce6f6eafaa63a1

SHA512
a740ecd1178c58c55b316afee5315a3eb86ea155c794306a304303d253b91073b476e62f5f6708d4328558521c5410e8271ee2e674256fdb337189ad26d45d2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6f60e9c59801fe5518b010b1d389e6fe

SHA1
5e852711177e8e573ebac9bf3dc8eebf568c2a8b

SHA256
c74a280caa5cd7ee18580d1a4baa557415448b5e5a58d1a8f2a0199594fc3e89

SHA512
80e636c9e830d1d11971fec3b01f2bb5e2f5852a9293d13674c16d708d071801de70fefd5ee477aa85f753840550909755361f54e63596eb4608438680807450

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
844b232d759172c175263311eb0db2cb

SHA1
125003826e35d39539eaf77b258fb33d6e8841dc

SHA256
c90bc9a974caf3a74385a330e802955541254bfd75aeb33f4c7832882aaccc1f

SHA512
a008d21d831b4aaf24a39e274831c34e86740c11d53868aa14e15a4f59dc825d05cea5e6b7c5dfaae266e594945cea8ea27929658884cca83578d8eff49b9f8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
55e5260d60dd720e78825abf00883509

SHA1
d6f7cf46c094af090343c32e82141d2c8f2d669e

SHA256
4bf110195e693c159e700aba3722e1914cf4dd48617224b268d0fbc16e663dcc

SHA512
162b9e19c59bba641ba30b9acba5e3be10bfc4bea8a5c0ae6fa2fe19721f3767bb77ae2ef8a3b9e0195bdfe03a632e2c08b502d4ae116eb9a101bb7664663571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
ed125853af4eba7ee1dd1e20f1768ea0

SHA1
619f801de2b2f7b3960a92dbb5d27591643f865b

SHA256
2b8a9930593d922fb56170d54100a7deeef8c66ce2f3c538d52c1b6356e1555b

SHA512
c55a7d0438b81216ac6cf29ed3555ea113705604ff1aa68610cced7a8a80e3f895933be3e4ea8537d60f3cd562ea70b6741b844fe48a49801f294308f4915a1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
58c3e1ef44dd8821f70896d36615bb88

SHA1
23994336b8f30da05abf41ce43225dea028523e3

SHA256
e7dd0699ebd40b7376996bd13bf9d67f1ffb1f20e43d1b6c77e9e9a036057d63

SHA512
e308489652bac3cd82badf26ed9375272f33b8682c94a82bfefe0056825106953714d96eec5c9f9d8184e09ac9ba09ab48648217db3968c2895ea5ac57b8aa97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
8b008c2561bbf6f23fdb0aa62ea22aee

SHA1
a70cf88868c905a26813a9355b027c1c177a2a05

SHA256
169590cadfe62dec60c2d826a710189514f0ab502c8dabd32639c0719bdf6e29

SHA512
413805609c443dc6b65dc6ece86de2fe0e2cbb4cc26f5d015d6af6e1faf91c68f230c7b9e755e1f6801fdae8a05309c81706dda4baa1698cd966ed0faf89c5a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
000170fee93d1c4fcb281bd1c0b9c0d3

SHA1
63d0535dec2e701f84ad45b87891bed95b553cd4

SHA256
460eec282fb7ef0122ec7e9435affabea395552f61adc4758e4e0ddd8034bfbe

SHA512
7dfb043e3ff7474b474daf57095b25a552c138c16ee98985d7fb5152cd6dfd728e6045880d1474e6e24e97d55c63952370fed96c55c205914edaf107db8b1531

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
49d528d087c1fe37379604106e7d5d35

SHA1
b9a2ae5c65d34af1914393710b3b44062c17bb63

SHA256
4888889302560c1614955b91190ce9a9c009759fb25a885b8424d06a01f92346

SHA512
3b0c6429cef31c20db1c740b3e85295b74f5891bc10125517cbf9a1ef096b8c9272b7fa5cbb325bab832f6ba2f4e3d6707e455be57e368fb6ade54d6e1d6410c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b046baffe0395978da9443e6d1879472

SHA1
7813dc45d563785158bc038fda8980de4871cedc

SHA256
d3fc1cdabee929204a90c49ff5641a96dd931d4112fb49e81064e8393906fe3b

SHA512
b7e02b961ddf5bded65d01df43a51372b9566541073e0c96f13f89d4abdbcbeda120fb4f8062360637e12b49461196f7b4f4e481b165b7ef366cf35dd523edb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
71dc1cd38e4125db1358db092aac154f

SHA1
c50147bda72885f6a1f6cd04808f687404dd62cd

SHA256
aa7d125d97822c59746b8f4c114ae1d531e2fd5da6e3616831e4910da0dc9ad8

SHA512
0e14b21b3ee3ec504d7ee665a1d5254ff0fadc5b22f4b54efecc0ddc7307b5e4d267d90ccda80148e5880c71963971d4e8f6f6b4a0ab928917b8bcab29655f7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
05fed33966c2e8233cf0cd1314491936

SHA1
e901ced0b9de1df88f0dc5226b8088e3506fecd9

SHA256
d6783b1d4a668376c27b8921a108d70dd708d4833ebd33471e55a8d7b9fce442

SHA512
d494d417084daf0701582b3e0cf699580a262a25e59629ff284f0110b992d543e5e24de816ed3c00bc827d19ee9b237e2bf5b467de7b4299ad1cee12679287b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4260028e4be5a8de26104868e61eb526

SHA1
36a57fca5ce4805b1a41aac61105e966e53a4127

SHA256
06f714e65b44ed1f1c9d221f1056c01907b0c9dbbd10856279dfc2d72f1b87d5

SHA512
4c0033bef5a648832ae83164f56ba43f2d2b489917a3c0305a7f7a8df1a9f9092d67345b043c0f4502f364ddab03d2a51fb5357b5c058dc2bec14987712de679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3659b3e50f8ee3ff65a6625f7b2172f3

SHA1
b1d5b5a9808a20a4971a758b9b6d10ace9a9990b

SHA256
b74576ae05f0f5f1769cc57bcd3aab289616e653e267480b102dc1b079110562

SHA512
0221fcf54d42622ea7c6008b10c598888abd433192cf13f40c1c43c2e181daf6d5ca7739c4fc3484d464b1720dbe72cf8f8576ea8511fb963003825620429e9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ba85a3ae55c07720c3b713ae9c571187

SHA1
3c1da2702272481fb2ddc7377307a58a4ce73691

SHA256
74c72c78f9baf565237f73103d0b82860a46bc7a9ebe0ff979dfc72f08f0be6c

SHA512
cc288c8909f7f46c75dc79389b637c50829f5d2ba952ed2d2f5f9d8d8668e1233a1f5c095c550b637205c8ebccd8c23a9ec25c1a172ff5a4e3529d5106a97df7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
be3849c064747695c53b039f8529b098

SHA1
86221a3400747309937d1599fc97500cea154946

SHA256
cf56d6325e33db245dbb9ea84fa4342977683a4421e5829beb49927fa92a88cc

SHA512
f42d1fb1b3a80c3e50c91887b706274a098871446ab77677999d929aaba59aca12064a485413d0f4e9c0fa7305d1e65b0b3997dd901ec842315b305ad5a7d026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
8d9ee23e158586dee15a6d57ff7e3795

SHA1
6bd78b049546aeca7c4f1b8e6fefb6e70fe624cc

SHA256
9b09a9ebc6c3d357dd2e736590668fe34ffc9884faca1648cdff59c5fea0f92a

SHA512
b859bc1e501552aaffa1b6cb5c6bbb8c9aed3ac56fb3036802a9df4c1ad57906610460823279ee361a7f590c153414a093cf94fcbdea3148b2f3140cfda6a90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
114b49a11eb00354b9b39e295c3c3259

SHA1
0fc00b9eddd7aec4058617c04ab9021b55d931ce

SHA256
c396613f33c43f0b566495b2dc9a12e2a07b68253ee6d3a6629c7eb8faded033

SHA512
2eea7f62007bc620d626cbafbd6c03f9b43e548900f488a025fb4f4e6b982dd5a3fa58dc4605e13647fc318aa8dbe34aad9444098664483334725d6fd6dbd48f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
a55bf44539d3dde428e6e10b170c881e

SHA1
506e5ad840730f656b1c7feeb6e3500b4bb62eeb

SHA256
30b015b4bb14d26a977a571e85c887904375421c3e12ce9ac6aff9b3fe932a00

SHA512
bdf6a2e283cf1444598942bf620bb6f6a2c9d148b6730b183303c770071c51641f79d9ac556a46df29a79ca0e52ad5ae0bcb33dcb5487940766db81690adbe2e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
de553f1497ca6ef2d20fa6ac6f172b1d

SHA1
6ff357798a5c40acdfde3feb6b73e33382d5553d

SHA256
03a28d6b28c7903f6cec5636ae3b05a2bb31566548e11b1dd59801f3898a50b4

SHA512
c7fcb1d7c02b74c32a64407d4698b68ba3adc39f68c162372c63955f4c5c80f0852fdabec64f826fd9758096a9b6b7b525a794a8ceb1142ebcd3592288fcb8c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
85bf729f0936e5f0afb343ca8a1bca29

SHA1
5c049b8c3cab8ec3f33a93b21cb0e2e4811b4426

SHA256
8ea72a91a923ba813c0fc28efcdad8d1ae7c30e8d6f86ffc24a3d0b7717806f3

SHA512
fe0997abe9086756f0a0fbbd1b7ac429c0e70e725800edf4798f53e77311fc26fe226737ffa3e9a94dcae01ccb1215b3a2f0b743b800043185c8d5f2cc2c2568

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
eb77b5d758e9951804dfc96a0f3b4372

SHA1
76b92f09577240983aab178dbc7ef3037020c9f8

SHA256
caddb4dac7dd692da31730e5fb7cb955612ebea70c5213c418f472fe291d58f4

SHA512
04f9e11c46985d3f6ea584a6bf7f667119b5ecb44c7c8764e998c0078f37373dc6a8e0430f0801e29cb5a7a7672f8468dcaf5799e5eb05840989aeba36a92b01

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c62ddb5d72027b12221efbed1539cbe6

SHA1
195523fc46d40f684f96a70192d327e4ced5dde8

SHA256
7aea4ac21485d0cfe64b3c4eb84010d5cb0d21d08adbab07239d995fdb784952

SHA512
0b43d981dc27b10a7f1f5bc1a78e3d16db972505159733f360984bb0731c91a1d8c69e04aa819094ddf2b10d8e960da1d46969db7a36f15acd17442baba1fa63

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
4712d4e8b267a2be968e7ea58b8c0eec

SHA1
014411858d8466ca4179ce317f5c6b2dad611608

SHA256
0924f92cb93d430704d09c02be2d37e3411919edff0f5e5531ce377dc58b2173

SHA512
4d6146f57b57079ba64df5c3dabdcdbf4c5f4dc8b969c1541a423c1af2d9b30a3317ac508056ae6fddd0d28246dcf5a12654335cbee78d618ee716ae92c6c1d3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5b2d97cfd674948b4b8224ce36adc66c

SHA1
fc82f63cfe4dc31c42418fcb2c324faa154db477

SHA256
c719bb57e331e6a71b1817f2848bbddfcd25ecec4a3844d7dd673db153a26c55

SHA512
401edb1eaa7276c9d5e2663f3cf01d771a4e5b4c8fe08d68220456c3a00802959e000cb694ea495380a7b1e81f16825b65647df7b4dc5291ebaab1673951857f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a02ea972fa53f40c75c0f30e8f3ee957

SHA1
d103e57c633cad90259284406c9f6d7314abfdaa

SHA256
2eb81bbd775d97cdd6bbd7af633d34868c58bc829df4c41715e27db6fa2e0fdb

SHA512
f446b88df76287f7f44eaa072e1e43dd34fcb65872d3bd2dbbd51c6c3022a30e02acbbccbbfea033bf49078a9c99735b2f4e663e6e883e4b57ebf68bb00a3369

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2bfbb3248f3c42ebd8503cc0bb13b806

SHA1
649d205575e425677581ed7ed8b51fe1a78f8a91

SHA256
01f337180e0585eca9d7d0b37922880859978bc61a03f85d873dda1144108e77

SHA512
441e17b91272621dfa213be5668bbaa3b780f591174aed2e1bc9788815f9701031830367f9ab761a9871f94847759a01b4109bdf6ebdfc68d30ce21f2688930a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
16991e1e365cd2798344cdc3b80aca93

SHA1
dd86dd6c8b1d5d97169ebec08adbaa69266662aa

SHA256
622919f3817efa730c4cf7a371b453bd49b1d2173dc6a315dafe4e5c6a0f9bed

SHA512
e7152260122e13411f0f5ba7c11180237cc36081e99827996214c648e1f7317d35927d91012272edc823ffcb99a9e7671b5b0f108ede516210d13988c45cde8e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
552d70e655fd94b3d0524fd882493c60

SHA1
0cb244a6902641b10010eaf300f073caeae89be5

SHA256
c8d0645b6a7e0ab7b72f9862cc9a2a4b8c6d9d14846dcf6721e52137fa565d32

SHA512
c89791dbb6ba49fac425d99827976060662bd9fcc1cc7b7dd8e728df2cf3a2dd46a7b56211b5afac523e6e3b2ee0c14b2a4a5d56aaf4df7512b635b3bfaab718

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2df3260505e771b1174f271e50cbe910

SHA1
5f868ff9990e2aa3d8c741fe6f41f28bae3112da

SHA256
7795d2ae8168d738bfb0c8c8fe7b339a91e1ff0187aa0ba3e29948717663c09c

SHA512
b2c4d86c2d7892bcb1786cb8cb3bfe403b988283b9e9a6f51ae5fbbcd883e034350112dca720937df9c2a00f882bd419db032902bca459d16f3226e57daeb16c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
99dee3e9c72c9ffbfce55ed2875a033c

SHA1
e847347a6b3de1c2c7584d205fcb68371b272469

SHA256
e727fae84e84e0d1b9637d5c18e13c73dcf1a7e16d6e79c6eaf6bd515c1ea44a

SHA512
b039c42a85c328503a3b063160cb1e265c196720e6344438f2b76161622f71ae19f6b084760179035c68f289f84dfaf045456c440522c081cc79388930aba32e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f80ec432a23d92e9d307653991820024

SHA1
aad0e74fe505a13b3bc28a1994e74e11ced8d310

SHA256
b196b7ba089b3e972964415b1934b2fe64893c85019f5117ff68269190039be5

SHA512
7efd1be42d81794653ca7187a976fbf817618b68978fb5c90f080f25e0cc5fb1678e61012305f2e969d7cede42ead5f716c698092cb6ff76ef6d783714673257

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f176c3c359e15c06069d40158fe970bb

SHA1
68656cfb7aab46d067cd62f777489d6b65c5609d

SHA256
4bab175ec296309adfed364d7366d85ccd32690aa83cf215fcc8edb83eef8905

SHA512
f03fe02060d7aeac50097ef1adc693bb8d46ac3cc69d69563ac96c5bf6f35c2cd5fc8875aed55384dc9b4c75c5ff0649da746aa90a430b690bd1fd81cf18fac8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
462840b0c9e00e50cd617fe3829ed2bf

SHA1
8ff6f1f9a47fdb6f4444213c7d02b2fcbf1e4a1a

SHA256
469835a235392ba5fd37d3a461f210efea37fee5fc09365d0342b3562c4469d0

SHA512
40383c080e1b062eef9d63a032379d283842cc1b408e77c072c6e156d5ad131abb4f371b20ea79bcd2837a7f619fcc6749838d6e758548a8b42ff46fed897f65

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e37803594591669b4bba47bd0e2a69e2

SHA1
63b2f090bb2bda2267db2659ddab84927dd0089a

SHA256
d05975349fea8e985f3f66518d84b0460353241099dd049a940c3f91adbe823d

SHA512
bb54b1332f943179a9e39265f7354973798675f4fbfc4e7256e7996f25afd88f3af24b2f67af2228a3b596da52c55cec2d02aae744349b781e270184453d33d1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9ddc819a2d3a14988dcde8a56b76f2ca

SHA1
5e489a9c85d748b127437337b14aa98be2a45e94

SHA256
197408cd4be6d8f7ea6de44a99dbb3bf69137e26091ba030e4aac204642e38e7

SHA512
7cc5a6edc97796e12cbef0d236ffdd8afb7a29ef8e2e877cac7b1b38ced91b4acc3994c35937fb69ba971f8fec49f54c4b51bf04fdf27aad48018374330c59ca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb80d563fdc72c16270bff33cdd3193e

SHA1
fa4e8360bc5eba407bb8a0f4d81f71adf51ed914

SHA256
86d8c8a26624260c7f84126a6d9c2180cd84a6fcabae9bb0a40698004ad2f76c

SHA512
e2220d4b337980ebb7044d814383805730076cac670975598ae161cc46175c129308d6676f24c995052f472f4914d106186679847afadd319bf542c079ae98a5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ac34f295c4f926da9692d3f980289468

SHA1
3291bb7bf0fa8822b1ff9a0dd229c80734fc5c16

SHA256
4c56b4ee17d23d2a75ab33cf595661c778543e27bb217f393750c14c597432cb

SHA512
39ed6b359905108b9fabc3274fc9141f392bd3f4472d5e9da65bcec14ae7a473aaf9d524c4e6bcf83326a0f320cd8e0884b5cffb1f8e83c6f2f7b60211712d50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e84efe2c60dda6a7a89248f3b96d298b

SHA1
98112c00a5f34506552e0cfee6502e371ff0bfcb

SHA256
653307d9c4524785901408c80052cd7a03cde152f7ab46f9ad5b46bb572a3ae8

SHA512
bafa6608056f9b813bacf66e099ebde5462b2e73f01a4307cc1c88a56cd1890a255c06147de39ef05dd48e4f7e517ad9224b97f9d4edf23934ceb006be6ca1d2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a69db136ee4743658d9fd39a1b98f25e

SHA1
26510c47fe58bd800a5ab63b9a0e353e492538d6

SHA256
8a033ef04a39978df252fa57a3696f3164638c2908fded12efd296adb0361c8d

SHA512
75c23e4516739ab6c5dae1a7910255eb0b46c24fc06978c697c746357208c58ec5947629ee7daf9a02f474f5f47815c8f6a5aeb6dc72f2d9735f57fd11395e5b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
a9515e7f74ed3d822add8baa15d00aa0

SHA1
6467b46e0524f004536c8b060947d29e019628a8

SHA256
391b01ddb43990e34196963cc9454df0baff64473848cd3a1ddeee90ba832267

SHA512
894b82150332da369bcb792e5ab787c954b5a1bcd084bd3de1b6bbe27cfaf8aa34dee89652328f34be352b8930cc986856f7fc802c8c2e22e46d47c07ee1cbd2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4c631e0e15098be62ca4424d3b05c79d

SHA1
ddce9789e97c4ad2206945f3da303cd1ee3a93a2

SHA256
3d59cf889e26fe13237b244f57ce81f1367bc508d0f14cb1bbd63fd47305047f

SHA512
a41d6a414a88fa0137af1a4f820014cc49745209c6ebd0b0fced90f3a1280d5f087355e9e2996c94e612c0cdc469d47ca4eb95f99e076eb601753abc7c5574d8

Download Submit
memory/416-245-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/416-127-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/528-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/528-435-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1108-264-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1108-518-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1208-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1208-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1208-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1296-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1296-513-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1692-98-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1692-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1948-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1948-44-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1948-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1948-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1948-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2000-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2000-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2000-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2000-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2080-233-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2080-116-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2328-79-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2328-73-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2328-81-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2328-84-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2328-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2500-104-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2500-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2500-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2500-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2500-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2668-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2668-489-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2856-515-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2856-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2936-512-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2936-204-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3044-160-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3044-372-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3668-97-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3668-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3668-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3668-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3744-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3744-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3744-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3744-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4076-487-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4076-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4076-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-514-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4612-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4612-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4900-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4900-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-257-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5000-137-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5044-113-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5044-221-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download