8c78d49e059f32e7b1df82ffd324e36b041044994e063bab799e85eb6727d53b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Size

1.8MB
MD5

f942a87643cab9817bbfb13580af31eb
SHA1

ea66487d0b34465710b638bd06850034c8a1742c
SHA256

8c78d49e059f32e7b1df82ffd324e36b041044994e063bab799e85eb6727d53b
SHA512

c979354fe111c219bcc9cc77196cd7ac7e5a57a4e0439ce32dfee25877f6ddabd563cca2dc3f6b990c30439e187940d54a86dfa876c07a203b8bb5ea3803e64f
SSDEEP

49152:8E19+ApwXk1QE1RzsEQPaxHNc/snji6attJM:B93wXmoKkEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4192	alg.exe
2196	DiagnosticsHub.StandardCollector.Service.exe
4432	fxssvc.exe
3768	elevation_service.exe
3080	elevation_service.exe
1860	maintenanceservice.exe
456	msdtc.exe
752	OSE.EXE
2532	PerceptionSimulationService.exe
3152	perfhost.exe
4924	locator.exe
3948	SensorDataService.exe
3632	snmptrap.exe
232	spectrum.exe
3940	ssh-agent.exe
3388	TieringEngineService.exe
4940	AgentService.exe
4596	vds.exe
1268	vssvc.exe
4996	wbengine.exe
1964	WmiApSrv.exe
4692	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b244f3fc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a776b30feb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028c57930feb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084007530feb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000fa692ffeb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb015630feb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5db4e30feb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b36630feb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a49592ffeb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe1bce2ffeb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeAuditPrivilege	4432	fxssvc.exe
Token: SeRestorePrivilege	3388	TieringEngineService.exe
Token: SeManageVolumePrivilege	3388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4940	AgentService.exe
Token: SeBackupPrivilege	1268	vssvc.exe
Token: SeRestorePrivilege	1268	vssvc.exe
Token: SeAuditPrivilege	1268	vssvc.exe
Token: SeBackupPrivilege	4996	wbengine.exe
Token: SeRestorePrivilege	4996	wbengine.exe
Token: SeSecurityPrivilege	4996	wbengine.exe
Token: 33	4692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4692	SearchIndexer.exe
Token: SeDebugPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
Token: SeDebugPrivilege	4192	alg.exe
Token: SeDebugPrivilege	4192	alg.exe
Token: SeDebugPrivilege	4192	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2944	4692	SearchIndexer.exe	111
PID 4692 wrote to memory of 2944	4692	SearchIndexer.exe	111
PID 4692 wrote to memory of 420	4692	SearchIndexer.exe	112
PID 4692 wrote to memory of 420	4692	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_f942a87643cab9817bbfb13580af31eb_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
677f465f4552eeb19210fb6f7b464912

SHA1
214d447ff9fbdbed4f271222b7dc055d74b00130

SHA256
3bf61ad7a3909d217f3ebf35ed67c9a62617cb09355fc5775b7ee8588204702d

SHA512
ca44290c1ef4d68cde8c7ccddc44bd7f8e278f5f8cc370303ea7998e1e72dce4c0723c9856e163d4275762ba86e8ce6e35d1886a62f14678b97108fe08db9d84

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
09b37f167b0f7c57362fa764ffe84ef3

SHA1
1a955d1f2355f2af6f78fd0824c123b4d6439f04

SHA256
b3797c66c1f89b021a0ab7c5e67491fe6475f5c7ec1171139376c35e81e743fe

SHA512
702152dca636aefff900492b01ef05781827442e6d15301fc901f60c00c576681f93c2cb49b0ce980c3fc896ff159150e9e0610119efd0dedbb0c4be0422a9b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
92c8ab3d259e9a2e42fb62bc41a340c3

SHA1
1f1d7738dcd9592f4afacd093c4a16fae1f59825

SHA256
ff5f668be6a904fc7ac640655ff567efc5b2d8658d1004bfbd02d0ae92cb924c

SHA512
11d25ec5a820a8a69ce8d98cf2d47163247ceff23839147dce63a2120e84d440aa0fa813163befa90c6fd759282337872474203ed0654812ce19e4380bb9b3dd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9f0ee8463e2fc4ffc7225c972307758f

SHA1
1024c547b82a70bb19941d55575d4acab436fe24

SHA256
b4109336581e1619376a8981269c2a47987567cf8edbe1d17e8d28f41923be18

SHA512
f5a02e86ea3279ec79339976661ed664dd2f4d0d28784ae76b80744413fc4b69b4d43a100d376d81aea7a85d3fd1491d16bda5ace716ea642085b463fbebd728

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
09e4835db9ba09c8d139d52c1d8f215e

SHA1
e7e24c54f93b5dd8240805c5044e1581bfdb2166

SHA256
128fe6da67004c5c90290935b1a2fb031b1f5bd7975358f588a1fae131ae48c5

SHA512
582527d19bfe3b0e1ba2c78ec7bd25fe6fa5288dc15276ba13f3de6930de6e6a0b39c6a81f3c2f03dc43ab95bc01c61ea06bf9a3a3fdb71d120edab546b7a561

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3b4ace3e4d619ee2b9f1176e93ad4a0b

SHA1
848d40b34701967af0a7df73aa3595264a638026

SHA256
4df3e4e625174170d4d47ade985a08d542c9c088fe0ab373294c6b1b794c45d4

SHA512
ad53056e4646636ddadc77f9b1efc99a7c118392003608ab93177364512976b4bc5771c4fca459494629f6635a6a8a4b98b11e8882667627a4925e1931803442

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
daf25938cdf817e1ba7137e2593a6cd0

SHA1
a0926ae9e367f5faa177357a3bee97bfd4f79b9f

SHA256
50da98a1274efd8f171222127d6e6e7a8dd5f793cc713d7b8efb161895e0261a

SHA512
7ba8cfed626b5f78d7c4259a90f978832759dc3675660d80c7439a034b9b79c0ede17fafef186c9235c4f8f72cef4053119f59d139863769b547f7a09d93d6d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
66c1122e51bbedc16f6b37f9c92c0883

SHA1
16185d6ea3f67708f8ad9f1b6fcd7303c3da2392

SHA256
a72f520a0beb1869da2bddb8ddc7121aab486e5fe6e1fb360adec7f52e4c875a

SHA512
519657633a8bc2929adeaf2364dd5a1521ee2d54f5d1557b6b98aa6c253efb9bbf225a305aadc047db6c3a52377b73d83e275e653294ee0616f721094c6ad9e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
21ef3438d13703076490301c2d1c25a1

SHA1
bdd13840ab56991deb0bb5f707eb4a95b928f8b9

SHA256
9d72aed87b395c555d3eda13d44e3d4393693ea1d30c3cc3a389acf05ee9c07f

SHA512
1bb1a64aa22452e695ebd4a221849f9cf81b1589ae6d2c4a47ba7978e82963cd0825fe36adbd2e0122d87c9bd3da01da3fff0b08ecfd7e63972a95c0cfa8adac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f429b7178dd202985169bf87e7b2d57a

SHA1
90457b7a60d7c2b97902e1197c7b423e74721c22

SHA256
a5dee065e90f5670ddf1ec766dbf36fdb951e2046a952969f6296fc6c779cad6

SHA512
73a8e98919dbd60bb75339c07d09bb9e5abc6c9747cd2bcbcde6af234b5e70dbad62c0dafc91b3372f40ec003ee45f4747793d643b1df3c19f0d1d585cc64bcd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f4ac005c945ea18a512a7d7407ec2fc8

SHA1
526f7b775595591d8b4e51669b8fba3f61430804

SHA256
680e7b5549e92a81bdf878cb3e2a74909032a55896722b22ae9f164673a5fc85

SHA512
1206ff80c0ab932c9e9bd77ec7060e976583ef829e63afe61170c63d54d9b649ad3fadd22b84f2f75776319ee2f4301f44862da0a302406b0e5ed39ca4718936

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d49f0145717d42b307b5e1f48d95e22f

SHA1
db2970b7d4fea959d72879d4394d10d45112a9eb

SHA256
f6ca8ff2dff47414de4ba704b69c9e3e45903206617666d3076757c1c1ecf629

SHA512
a7865631977a31eb7961f7f70bb03e8214ed2a53cdf540a26899efc35bb3c97a7d2c620f4cebddc5c6d15198857fa52e40dc2793ad0cf2182ca3ae732c8b3916

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
91aa638f3f47ecb7350ebb3faafffcc9

SHA1
2829a671c40acae7cdfd804e2e7fb209509ca503

SHA256
6f98f6b8de4205d9df013ffb6fb52e2855996c6eef5a2fba6116d4be7c70325e

SHA512
223d512c38d0411c2a42448ded96fa388f43a62e632da3031c2f65cbd2e4b5e2d14be2e5809fef080faf5d063cc0571330c2e7f77803f553d8ce527e389f419b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
39b872e59a00991ddf3075e729b12e80

SHA1
350519ad55ce286541bd302165bfafe629b8957d

SHA256
749cce50c95911913076b96de43000eef0a9aafe83303adf9b4cfb6775f0f1a4

SHA512
e454951c6bc9763bd4771daf9f8dd3562c69c43cb239fbff5dc9a48c12a93d1d19c4a2dd287f23c906fc42566821dbfac630d1cadca6c87644a0f2f3f81fb2e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9b2c2948934e92910b36ceb457058171

SHA1
e1552680dcecd5609f8506e98d9fa2f42fbf9461

SHA256
a4a002a746e96a83b7a6bb86438c456db7a65b0e4a81a5be92ecd0200dde05c5

SHA512
670835ab1735d2218711e8d6d1388fe6ff8df0c8f96aca8aa63c5baa4628c60203f00506736667951d3fddf26bcf3851f84b98aa04b18a674c1b47527c531b40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2dd747ffd8c12308727d3c8ebc09637b

SHA1
04e062dc60f406706f278289aa5ce47d2ba21b60

SHA256
a4e8b8c59360c52f4006c547e5cb65a6992e292770eb711521ce2ecc3f9ec870

SHA512
31cbd9bc59c8f102271db5c5dfdb28822db3d83711032097857170610460a3d5e1d458ae54bc5b85139a948bc54084b8378ae09b616204ae4723a85f83e71244

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
49f2668d43fc07edd0a62dfc9eaf5690

SHA1
672dc38e3cf400e6ced3cf3d5b4cd5f42ee8d726

SHA256
be1d6461d6cc54332cb862e6e4068023709431193c991abf222a412344ef3806

SHA512
3ddcc504a120dce6aedaa3e1427acd8db2c5d7458ce978f3d0e92f3501a0b2df81f29954314059d477a6661742a9df1c498e1640bca213b90dbadaf43958edd5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a5a5b7f0d6f1a4e77e3ebe8e1d009eac

SHA1
4e5bdef9c446a19855b3bbde4bc81b4d9af8cea5

SHA256
61b0c13b3d68a1ec61401aef0daf3f1c5c94c9f23c311b7930eaa3f7c3cf6094

SHA512
2188aa62e4abe6a1698fb393ac6b89c6a2135d51232a6771785c7ce2a52237c3fd85fa90c8e7d00571fdf46fa50048cc16b5e432d266b07a1766673b2049ed05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ddd5bb5405db8255e71802f14d199090

SHA1
d03edbb5acb8c03eb4608b5a30e00bd174fc4adb

SHA256
3bbfa4ece52f47f0190f81a1b95e2519ee5a71b7bbe6d333bdd21a53b22f30d4

SHA512
20fb20572867b93aba7bc38942d29694b3b0e3ef696d34963e5a7c73f9a252b0c5c0c99393e5333adc229b2621629e0c33d75eac31da55c2d4d4046e976cbf1c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
465dce1948cc8cfd9f655ce3d012d31e

SHA1
a330abbb86992052c1bd559118722df102ba010b

SHA256
e0e634911d8f5354203fd7f409227052ed44996b21538c0a495f57ad10a0bbba

SHA512
291e59023b5e0c29eb526d91a1c1ec3143e8b637a6d8465129ea6dc53093761ef3845fee2dd6c441294e91e35990f8e9670f94d66613f792c9aff6c0087f1e08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c7824edc32a0b47b6de9d0d3c6d7a83f

SHA1
2069622c7813a8651c70e0869de51c6d86758d01

SHA256
662481f2e00456ac86251299598e47beb15326f705f28478b359132243ad87f8

SHA512
ed9117b566a966b2234209d357b7d8d01caa5a7b79cc3cfdea5657ad48633506ab889f079bc93c40b521edd9e2bbed0b2a23e0a811217ab9f5108b64857b81a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b6f8d21982b19df05c0f503f0abf8dc1

SHA1
4325d5c2ad1ada68035d73fdfbd7ea1a3824a3ea

SHA256
632bb1cb51bc1cf8619e70c90131c73dfe7a38e4b40e3f095e4c5d4a1efc9496

SHA512
4aa367e692077fb78dab85cf589c1ac3971f9fadcb491a5b6dddd70e50dbe3a64d90cd5872df7df1372cbad4686106b19b2838b4c37f8fc9fb05012414031799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3d7d533abbd247106a0dcc6eb706dfda

SHA1
ed8f4a7bfe0b6a914211bfc507be21a5d70088d3

SHA256
7d38ae35640e55fdbd4a4e823e69bd9275676b270e923b3b47924698ae7d4616

SHA512
db22f7e112ba369949879ae0050bcfc4c8e28825af85e42ac16cb55d29c206fceacce6b65bdf8a88cc462c69021a2f32fae826108ab86f4e13e4e6846b6070a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f2bc20b3da4b4c3156e0767a7a994c49

SHA1
86d32d685ea0e8690b3b2d4d7ef5e791209c91be

SHA256
1e7ed1d8f7eec929bc766c436da086fc53b9e4dd8b0a1b467cb2ec6ad32f79f0

SHA512
579a75e4c74c139ee7206bdbaf8087b8b9cdd4c68aa7c2cb090d9a3e2db55538b3266cbdeef08983157fc80ffd70bc3011c191d24cafe1d11d986011853b1009

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3376176fc437f96b67875af003431b5a

SHA1
e8058f762900a62c80ed56a513db8c7ea97ecd19

SHA256
59f861f300969189ed1945f239879a3984e3ce303c1c6413d0a17e854d8670bd

SHA512
3ebc6e7a7cb19dc368b401d62ef7da049c8fdbb3f3a74db24bc94905976fb3e62c22dd30e53fd91a660a0dfb5e89a5fe316f56479aba295aaddcb1bd9e2d6435

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bdd663bfa5af0b691ae72bc973b0a7b4

SHA1
281cfd9dfc4bef8ee7c00d874f219f238cf8ae00

SHA256
7773cff02d92d2adfb3f11c489bb061beacf591455d31e27b0d831f1d99b6f78

SHA512
36aa0c01c59b1e4b78d173ed569803cb622ce28c3aeb50df8958f802d5c2d8f6102fbad175008a3bb5f07de201878ac209385e8802dd144edefeb6ca3dec7435

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a676de4c4abdada9734d3823614118c3

SHA1
be6679884c10dafa63b59b2505353281ec6203b1

SHA256
f0fd2df8f7552ca3859f7835815aa005de47563e2abed61741af5c2b1c25d07b

SHA512
3b8b387d313a147bd6c5b70bb2626dfbcf8ce7841fb312368f2430d3f28583e7eea7d7c3114b5d537158d4228f852fd14bbca372821902d3dbd40786be57dbed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a8b619af6563822162c583b070832b40

SHA1
e4d9f0b506a2850511184aa699e086afb8c96d1f

SHA256
342bfc1b0966bb552905302bb5357634410b5fbaeec1144166119820d5ebcd7c

SHA512
675644bca87c3a66236f767d31cfc4d874220c4bc7fc09c7857dd220e541ea38e056596c69d694cd99cbf4473c117c1eed7da728c6232e91cf8a87eefbf6d48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2703622d97ed8dd1aa7ba22da6fe595b

SHA1
9aebdfbcda92f4cc7c2bcc12cf14aa69559c734a

SHA256
bc554103527fbe485446a2df2c3f397d0a0c33394548595be4db8176729a747d

SHA512
0ab730d07f76e3c0a9c03177b4a02a102a5cd1c5a5ff32ea52497badfdff28cb7e22c88c0458d34fb85fdba8fb74ebc46a3d6b0356faf1a7119768923f872cec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ea41f5c3941a31b135a9b2ba79c1985c

SHA1
c4413438610fd3279ab2e8b052510a26fc226421

SHA256
224bd2f464681d02a60877cd77f89d0902e1c3da69bc54bafcce4ef45b27a987

SHA512
6f54de0488532bb74c18726f027fde9145e71bba56ef98c120a757b10b61c8ab792b1f8df01909791b48293d0eaaad662253858297390f1633489d5fc9197f71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5bcb3366ec72ab65cb68236583178471

SHA1
02cad947a012e2509fb52616a09bf072f902b6d4

SHA256
a1ef1ac2d7cf8102fee6b30a2ac01cedeff5c8f331b4a7de91a2eafb1e52dd9a

SHA512
cc4faf2c970dba5634c8b6fecca2e59d77e9450a63afb61bc8cf19308c0d17ebd5214364d388b2549183409b4d8c7bbd9d74f0ab0082374eda408e2668a42a23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
331fed7be3a1ada3cbaa9264cb1941b8

SHA1
d24015ac6f0933a4d1d85518e64f28913cc119c3

SHA256
554e7420dda6bce7beefc42e95fb33483cd4d759acbd3cf3e57dc87beac7c34f

SHA512
bb3ee9ffe31868a94c169c2b00eabfdd83a22e8bf81ddfcaa10742021d0598eb1e110ab1545a9afc44a78f30d05551422a5e93c225c8d9c30e055a6f9f865d09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ba28bd3d380d93a6580f2baace000e5b

SHA1
a5159a43d4ea2d04e4a7ddb301f071ec0a19278d

SHA256
84f4f630d3dac29db4d6de68cd02c030733901dfd5aed2eaaa5d10e84e255f0d

SHA512
47f66a9b2888595667f09a9e3eed04b082c55f1b4d28c27c3674626e0fa8e0c630a8eaee81ef63ec5762afafa750cfa72bd15c414bf5bc85628950de34f0c31f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2365111708e910ecf47b87679082d711

SHA1
2e343d6cb06579d38444e638bd036d9adec22362

SHA256
4f53bec22d08ba84180b05473dbbac6198000c595526c2703b458b4b69ebace9

SHA512
6790eccf5456a86c46c77f3c6810f80734d68cf2f25389533839c7b33aa5a07e805c4383ae1796bceba96ebb8dccd4d3c00a8be7c763c1d3e327dd9d72da5e81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4bb6bf87402b75f158b5adb24c832150

SHA1
01ab7ecc462939de53b4a1c82dfcca9da2f0407f

SHA256
0bec8f53106a5a91f5ca8745694e04688d9157af6abd6f031bf856ad3043ab9c

SHA512
b3ac76d6ac2165d3b6532775c0e19d393d594a96c9ae7ac660a476fa50ba9deff0907cc8710d03e72a4bb5a743ed24cb23846de45a4a1dd8716f678487b11c19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
62173e721b179aca3ad082942fb637b9

SHA1
2a30b336f2d90538964ccf89e9966e7a2f393bd5

SHA256
f448e3fc8a41bf247b5ea7b37f41b79b28e091366b2e40afbd6e40d27373c57e

SHA512
c47a97eb3aef218c41e47faaaff3af8d9f8f16ae7fca6f5b4109049e94a26fa772077da86fc9c362b6d9e60e0b81c96919eefb54a26bfa982fbaa7ba010a649f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
af467f9143f73fc6014f8a81eb44e851

SHA1
3adfe7acd93af73d179e07930c7fb12c5c6e157e

SHA256
b18efbe1dadbb38876c2a1ada47df06e204228acbc43801590e67ab835ec9996

SHA512
c4ea6f597cb4b212db0fcd979f7564c600d18d46bcdf0ccf5fb39eb66a00ee6f85136e148f983351d5b3793ebefc0518e3317c0038c93635ddf3f65b73f96757

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
337cfe348e39c69ab8890c8ba6c3f4f6

SHA1
ba25f71e3fa231af49d73c9f7a9d8502ac518fa0

SHA256
382560f14a63dbfb3aabecd9b34362eda1f8c08c7147447e595989f0be515420

SHA512
42653b0124b8a62489d26b3dfb695dabc23c29fd467d7869d8fdcf137371288cd3cda582eeca43d266b4645eb7e89483374a87a0288ab535dce99cbb7e49ba28

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0568c604f2f3e6d86ebf732c53105daf

SHA1
1faa504fc169df9ebae4d55ebebc4f3bf2b497c4

SHA256
2822fce68c7da89b75f53000beafc4230ebd7c3fbd58671edea6b3608e0bd5bf

SHA512
d665bdc02cf37941893bb01e08c7f0cccad2d51cb88838d76a42c2629ccf13cbd3df466cdf4b9a28a794fc5519d0e56954389a068987284893339bd91524f081

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b885ef836512efdb2e19005d2bc1a05e

SHA1
fe6aa5f9fdcd74c2c2dfd9136ba18c7333f29751

SHA256
16b3da46af3702a1c1454991fe6022836cb50ddb1a1d8a71167a33310d912fd8

SHA512
fa03d481caf1a2abc6e521bb40db7500ede034fcd44a11e7905f5efa90640b11f6af578b4e56d0c28b827476cd0cd44d13f1f16fda00fc2929eaf959e75c8b69

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7e062c8bb66cef24b3bae362f0b08106

SHA1
6cf597e855d2fc7dcabf38829e9f555be0f6906c

SHA256
9209ff8412f3ca1a2e42f365991e732c7a160da00e3765278a49c1b59fa30f8f

SHA512
9f81ed018fb002c7914d4e454d12e49a4aae257758c0284d47cc2e59e9fdc2b60e5f99013171ef21f7f1c42ec71a3a11fc215b87932bd48c20a76a1c4faa6f44

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
172d79ef3a91fc5e5ee26cd94fe6581d

SHA1
57e40f8a12c65bece773de7d99e0c632031e540a

SHA256
8e9918640c2f87b91d629310a1d900955838b53beb710fdbba2b99666253c536

SHA512
1ee57c41559df425af31d32a3b225d960e1a7bc6eaeb83f180299ab1f639da384acc96f4427e3f6a2d4b6349486011a4ef4e243d25e4881195cb908091db3db1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f2494519bf5607dc2d087e16fd6e1738

SHA1
a29c33f66b4f8d956afbbea109db6a45b9c8c163

SHA256
f7efed86495c460e0e39d54e63393c6e1d283c6fae8a9b5510eba0be92938b7e

SHA512
362937e37aa3862fc3c7b1ac8b7edd39feefd65bb2a78e0b01a540613752a43ed7383011cfad0cb895cfb9f67ef55e27795eccf6f7a1a29c1475f9fc8b9915b9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6a7cee2edfa245a31b8b00799beaddb7

SHA1
f6531f1f6f04e95bcecc6b66f92540a38837b4d1

SHA256
f4374b7e4b9595f7a5dd93f44d9e408d8058cacdab3eb601fb992722a0e2cce0

SHA512
77909cd643aa532f03bc96721d44f70ea69099e499e88d81fee850d834abb128e2f8f06bcffcc38504212fbb8f7dd36c5906b207f89f2b3441e9d043d24bee65

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
387dc851b0d41d871014c73d8a1f1c32

SHA1
cee1fee9d2b21624e7771a8dc8e8c729f21b5f89

SHA256
e92491c3d64992b8978da4f4507fed7d01c66c163b8de2cae5fbfc04d320cc7f

SHA512
2a9a7f122d8dba2b7d9cf8ab4c6c64a02badd3123a37ac4ef6c16dfd04ee7ee5d98d539809d43b5022becc09455aae291c6967cc6b678a26e1598201d3d9086c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
71cfd35e4b8c141042dc5c3eaf415679

SHA1
437aa1c6c6044aaa14ecd7f65a2ef89db0d6884f

SHA256
43ab5ecfdbc51b9365c980b6196829e2f04c2f951a762279569e69808379fbbc

SHA512
feb4ce49d8f39fe1296bc93b4be73c8b15f64d179b01b41af84d590ebbebb8f917ffaf58d7d21335adfb6f52bb27ee6cc8ce870bad254a610deb87d1446cfa3c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f553d6f88455faf661d015e51fe0d5c

SHA1
fe3509bbe7c4e66ba5350f6c8113c562b5e6eabd

SHA256
53d8c9560da468afe37c7e6a9cf368962c89b07e2f028079926fc4b7e4b7717f

SHA512
9c5e6853fe56efec56293d1924003bc55a47043e4e0304b7af88364d4b88d23f4863e71a1103b200c83960c0db22543971fd6bd2bb016aa707d017ec90f0668b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
85769426cf589a275575daebd64301a9

SHA1
d7321d2e02595dabeb50f7d893b389aa565504d3

SHA256
5079c953cf54cf919d482232020c6426a007c0c186da9e7c499c2bb0b1aba015

SHA512
00e07f2f9b4e7730524fcc0985aef790bbba12ede5ef48365a7da2c476b0c923ff72222b08f9b39c07c6a50fc8fc6f220d1b6ad95930a89b048a1ad131525702

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bb3e7753b5a8e53dfb501d09ea6e3cd0

SHA1
071695b3b88bd20253c23ac924a5d6e76d451098

SHA256
740c238783ac87dddb5725eb0a5a47bebfeb5ae52bca8e4526d24a0ccbf22f68

SHA512
6ba165ee28e63971f7be1914bf1bf630a96ccd179f91e6e2048932f8d1d4f8cfe2817f8ecc290184b8a87fd64cbd9d755c915545f28371738582a3a620ba6ad5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
099746a4ce706adf104ec6e61dc7936d

SHA1
02234b235c615533eb7e5bed086560717c52d532

SHA256
c24b70b0a07ca340bbd054a973006ab3aa68ff84d32ea829997ddd2f75fa64a6

SHA512
1cc961f59df5e67b9d8c562c06e2df8809c86f23eb6f3ec7cda4d686e0129fb215e788973b40f1295ef135688dd20083d90cd564a0d51edf8d0a7a0497d1d644

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1c52a2165d4bc90b6adecf6d1771f887

SHA1
df551228e9274baa1261650d1c4e92db626de39f

SHA256
1a0fd9a82bd37387388a36c800bf20040a94c8f4bf77d1ad9b669ab80b127974

SHA512
45b02fb6122d34e3073aec83b40bb4a665ee637468cf145b5a42026d7b647756c4c102076afd957bc95b013954909f900cfd9a7ec0e018488e68a9d9e335f0b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a76acf6f3dba3498ea1996dfacda37ae

SHA1
2f980d325ef3ab5e220de279320fe8225d8dac64

SHA256
aab29b00f7f12e060f880cd98f15066a58009be7ea3a3fa3cd003c882f300bb5

SHA512
a4405257ac7729b4394195bf26c6cd85785c281b2ba0ddf1cdc3a1535aa3d2ccbbc28ae5cda526dad8d93646769a9b88b95f42e46bc1308ceb7418ee755dda62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c21c7583e4b26bb34a5e641832498a94

SHA1
d5587850ed65efce578193efe7b83a2bef418650

SHA256
41a30b1b07c7306ce4bb7b496c140a2a5526d0cbddef8aac89ac9a7a57374bee

SHA512
f194c23cd07db017cad876a02b19c8be339f3786cddb16111f4fda21d5a60d7212a407c27f85490124dcfc79e1f348387aeb24f108cff543aec5f7ed636cd935

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1b21f779d7decee4ffbfe50dfb59536a

SHA1
f4620cac861facbc612b1bccd71e96ea0457fac1

SHA256
90ba4f0b3c4962153a41b1db7ffb1ac4cc8ea3f0bf107d7f547b5bc6b32112ed

SHA512
2bba7a3c8f40a2b7d3dc544ddf15fca1e54edf26ff04603d2a913be8d8d84941b80adb1806ee312f5e2b906fb3e06b197734745018f95543ee9f725148fdba3a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5e5c4b6cb61fdbe12be73a377199bf74

SHA1
e896693b74974499764d65febf75605164faca25

SHA256
0c6a970bbae50cf46082d7c9922d2261392c8577f68f739c8e9a6a5d658883fc

SHA512
8cdc7f353f3e42e66023731360099c1ca845857238be7328de3fd321864036a8c494fabfd29922a5bf1cf462e386ba2865d3b7cdda48037b2c05da7b22f01d21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
97c69006f4d239f7c3ee7fd2fdb6eca4

SHA1
0a559910b6d82a9d81cf55c7390efda94c18294d

SHA256
cb3a1b43df1dc92565e5aaed8931eb61ac0ac911755662adf3abafc44fc22bea

SHA512
95995200ed6ae274a1f52d92ea6deac219b91773df3813b65dca11538aabfe20b4dd7f41092a21a7d47c62c4181166f894c854d0d25f2f12eea41bc964d7e7d9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
334b5bf77af819a2b75edfcdcf93d46d

SHA1
2b1a3750136a7625b90c5581e74e8646a801c7c1

SHA256
fbda369c6089e25d0b48c36205e18717fb475c72040e1fd4a6dbe05300ccb1c6

SHA512
df1edae15d3483fee21bad646f6af9e935ceb7411436c384f703f9f53b18a49ef7057f3a35f4bfc9b6d6687ee6c1826bb52f9311689aa06b914580f0a24bee70

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9eb10df4d6b1781e6c0c9db4a604bf82

SHA1
a7928165f9637ebd07f8e19b740e52151db671f2

SHA256
188c90fb965c5d4ac8b1927a95f306e8e2ed16a146a16efbefaae79d2c07740d

SHA512
0ae45068894dcd4443f47a873060c77863bf0022842083c973af015b28749d0c1acef38431f0b3c1089882c8e3ee164696b09f473ade518d86b36a22ede33826

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
50f9488b5d5ab7b4fce3670ade39e6a8

SHA1
9d430b131b53c8661b3839aa07ce5b92392986b6

SHA256
8510dff0b629b8755143f2fe65695e417f6f32507ae4242161627f9f4b95c83c

SHA512
19aa9eb160571119ed553d709e4fb67cbfcf640c2edf1535da7658c23f2f8d7deff28a77b2240f50db61c12048e1ad9111f3259ada151b1536f072d33b123d24

Download Submit
memory/232-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/232-473-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/456-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/456-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/456-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/752-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/752-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/864-2-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/864-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/864-100-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/864-6-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1268-549-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1268-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1860-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1860-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1860-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1860-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1860-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1964-553-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1964-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2196-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2196-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2196-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2532-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2532-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3080-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3080-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3080-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3152-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3152-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3388-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3388-545-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3632-447-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3632-166-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3768-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3768-53-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3768-47-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3768-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3940-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3940-528-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3948-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4192-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4192-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4192-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4192-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4192-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4432-60-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4432-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4432-42-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4432-36-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4432-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4596-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4596-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4692-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4692-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4924-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4924-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4940-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4996-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4996-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download