0ecff9c24f4332d1152271a071cb3e7afa1c35cceff6f6cdd27572a64c458f75

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
Size

2.4MB
MD5

cc3e6455d2f59ab4f9695ece77781941
SHA1

eaac387ae4593dc1d38bdb5a9272f287cdbbb3e1
SHA256

0ecff9c24f4332d1152271a071cb3e7afa1c35cceff6f6cdd27572a64c458f75
SHA512

198213dfb71b6bda2b76ba175c6123f44750a264906603d73e9b2fcb50db4f4a75172d7f62ce9efde586d3461b8a66694be8bc58480084483c498c255054333e
SSDEEP

49152:nzONdG35/VV05vRXa/4XxtupKPs2cCgqQ7vFx75atV3ATzRGp:zONdG3nVSRX1XxtM2cCgqQ7vFx7znRG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3740	alg.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3044	fxssvc.exe
2276	elevation_service.exe
4072	elevation_service.exe
4536	maintenanceservice.exe
3980	msdtc.exe
3768	OSE.EXE
1940	PerceptionSimulationService.exe
1768	perfhost.exe
4380	locator.exe
4692	SensorDataService.exe
1524	snmptrap.exe
3396	spectrum.exe
1824	ssh-agent.exe
3992	TieringEngineService.exe
960	AgentService.exe
4156	vds.exe
2604	vssvc.exe
1196	wbengine.exe
2816	WmiApSrv.exe
1924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\512379b592be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013d17a6dafb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000643286cafb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000245d466dafb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015ffe66cafb2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f37206dafb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe6f596dafb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000539016dafb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009533d76bafb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b1cc76dafb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000760cd06bafb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe
3848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3956	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
Token: SeAuditPrivilege	3044	fxssvc.exe
Token: SeRestorePrivilege	3992	TieringEngineService.exe
Token: SeManageVolumePrivilege	3992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	960	AgentService.exe
Token: SeBackupPrivilege	2604	vssvc.exe
Token: SeRestorePrivilege	2604	vssvc.exe
Token: SeAuditPrivilege	2604	vssvc.exe
Token: SeBackupPrivilege	1196	wbengine.exe
Token: SeRestorePrivilege	1196	wbengine.exe
Token: SeSecurityPrivilege	1196	wbengine.exe
Token: 33	1924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1924	SearchIndexer.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeDebugPrivilege	3740	alg.exe
Token: SeDebugPrivilege	3848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3956	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
3956	2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4360	1924	SearchIndexer.exe	113
PID 1924 wrote to memory of 4360	1924	SearchIndexer.exe	113
PID 1924 wrote to memory of 2888	1924	SearchIndexer.exe	114
PID 1924 wrote to memory of 2888	1924	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_cc3e6455d2f59ab4f9695ece77781941_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b389fd35fced3109586f4d072faaf843

SHA1
cce9c1b42199d7b5403a57b1bbb580811df5690c

SHA256
dcc9601d9b1ca731a7aeafd244c6be9d30cbca4daf81fcf594b437fd9cd400ad

SHA512
86fa23e1999fd9079530f95cd42418a882d96561f5c406e90b09768a857c6fe23515ace33f44e778556e65425b29ee38219b330785c2e45669cf04d9649e4af7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
313e91ea8259100cbd1bf4f9bb802d4e

SHA1
6d14666cbba410c063b7ff9067acb33741cedfe5

SHA256
956a7c25354bc6889271d24cefa219dc431b179d5f13fd0cc3cdd656a3f15eac

SHA512
35231d085b2ffb1275c12febcb64819a61cd690ad0a22a03294087d179d7338589e287c04f73a25fa01a392d5d4285019de9e7f069a41341578cf9a2ea19baf3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d22b35c90b5a2a6c26460d3ce90a2f43

SHA1
e49c6437c1dbe7a64b71642a77a9fda8bb0eda85

SHA256
ea8ef6e12ac0e587b183a2cb0aa0f8157c505be89aa663afcc8d18e2a644c2da

SHA512
45e6649c7f3317f1a4f33b3f5a8758ba4501e3d5ee5d5131cfd6fc69f36c48e240935695764918312ce93b5b01e5a07512f70c189af1d89a7413761a2d14ed24

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
df60181a0cdf017ed2bcf9b0d3ba0bcb

SHA1
4f7afe8fec8e2174ca3adc62449ab3faed53d64b

SHA256
7b214c77206dea8d769cdc409f525fa77e06f85c56255e9371a767701d16d8f0

SHA512
6ca52a3f0c20cfcf2c42f2e799a5171de8aca5f8e9f9ed3023d91f732e2cc6db83790ce3925eba7c1a2bc0e3bec44f0afb7e0faf8857119eef4efac251f596ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a80cf197f82db12d13689047044f5c3b

SHA1
d44fefedab54ce71d2359f5423624493a3fe4261

SHA256
bc78ff9e55c173f66ea4dfb0ba96dbe7d1626679a2fcb35910128b9e349c8f7d

SHA512
2ed001b5816dc3726505766644bc739cdc5ccf412ba435fb671c8c33abb85dcb57d5e2ff2bb454a6e0d7906e3aa82efeddfbc186d01dfad07712423932a45b80

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8603c21cb64cda38e46bbabc359c49d5

SHA1
1027e1312e298c22aafc7787202bd7e109f170d8

SHA256
058de5de58ae3b133437bb5ec1b88e24aec34c93dee07b1c307e9038dd00f5ed

SHA512
7fdd23a4823df718623d9022dc3c88c1597910c8b80629e5f8e5203a23f445d48b49e8a97fa1fe7a63bdb2a459da655dbca0b07b79df866372e43ccc2d601b57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cc69b92d60b414517cf47fcbd156f978

SHA1
3aa36b596827ec22578520f31f6bbe7bd06468c4

SHA256
83390f59897d55ac5063cb5716e04e23b13f63f31e0d2cb7ee1c429648898f6b

SHA512
860546bec519bd46e6747341026847962cec9874ee0040385267c60918858a5b34af44615fc75c6eab8be3efa6f4e8ec65656dd8740506f56f25b0d5d42bb612

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3d43bff602e58bc826cd1a0a4f7257a4

SHA1
48a0f5e87bdfb88b1b92cd61daab200d35bc3a49

SHA256
59d0afa834c19aeb5993537f4af6475367d25d95978cb6211f4f25ea378f1cf1

SHA512
f46f78b83ba56fdee78a10d3150d83fb043fe27b05a44b6cef539fcf1e177a5b10a65f11ea727b3f648c0e4b03120c400dbeb0131e4f457785c5d9830a495d65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dd254a9fd8542f4e6f698f00e8298862

SHA1
40184857d9a61d58547f3bdfd1d1712216afcac0

SHA256
ca762bd8c66fb0c582e6e4f44807d930c013a389a2fdb2dd61fba1fa87858525

SHA512
4eba41729187d4e31e3c3844e8d313d019037cfa3f65785aa803de9c700e081cc21095a7deac8f7237f5def89558bd47a4c40888b54e6b693525829f3e532469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
11432ba5b954af5a5aaddcf6f4ba8538

SHA1
513e5c78137835a79cf1070ea680c39572edfa4b

SHA256
75cc42f40b342ea257d284b574b08e68d24c5b7929f9ea4fc9f78218505a5912

SHA512
7ea78065e8dee2d0e04c429ba9abd5fa50dcdd5981b9cac4a5332243f9434ac2fb45af4c2d5ffaf6c2adb83a383f3b4f04f1f010ed0aca9fb577722a2f20ef4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
59c068cd8b9016162de2793a0485bd59

SHA1
3ad5af9909c66a10febe58b9f6f0351f0d833033

SHA256
ee2547ff4265bb7d84956ac9ceaaabe99a18b167a90e8cdf1788a1456728f90d

SHA512
1973a00d017aa05deeef27a3a72c4a93b35ac78bcf0e07d6a2777de36075c66ba79ce7c0abca9da74af9ce027f1e8404f751b2dd1aa729080aa42c32a6259fe0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
657a7529f4d88ad0c7477dc9d88b57cb

SHA1
596ccda9aee787bf8662923c9b2d1f46c61889a8

SHA256
3350e730d7120d3f0c9f342c1fc6567e912e17059dffb59c63671aa047e6ecd6

SHA512
f767ea154d7b17e8c752e956190d860f3ca969275feed92e3e9caedcfb7605741ffe01b085092713dafff021ae9702008a65434c3327567fc66d56be552fbf69

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4ac87aa9150467deb670192f36364e41

SHA1
abde149cf1e5fd7d880d9f57de9e15bbb8d13558

SHA256
768f97ee6537da4da0d2f3619ef40af0ffce33164de191ebcdf84b20a83d634c

SHA512
ba1b5cb3b6c8d5b09873776aff82ba75ddcb6a139d75d5aa8aa38391387b73ff739dbf5ad3dc51b6811c7caaf09bcb0b5930aa8c7f817a591e3676a778bfc760

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8671c302a6f7052a55363a2244aa08c3

SHA1
9e3c476f82c092fd13a282b8a9ae79dd39b09fa6

SHA256
cba58ef01dcea842057cd2d13eb22fa25f445cffe4575af6794371f6bb009ae3

SHA512
f95b032c9acccf180e9967aaea75219b71565ed3f7cbdef447605eab579a63411124a453ec37d5c2205bda507f75c1306235e0997c2fceca782734e4de47aeb3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
293140a6a62d8f855b7e428d70890de7

SHA1
445e953c8b86ea2228a586294acadd0772d75fc0

SHA256
d7dc6540cc7fe511b6dfe36d9b9327520986f1b7466dabdf75731928d970c96c

SHA512
70c8ec8a0d89e3cb0fdad134148f9c3bd385ffd16e92d56c21b5d49119a763ba3a6a2a2f24305a99feaed28acea13c0a0a9214973827e2b10dbb96bbc8450bbb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
875ac03566520f4b46757f2aca1bf4da

SHA1
23805a6ba7928a4e8881dd4c064fa03600c03958

SHA256
f02348aa9ac26f53192314b3e14aa62305e92ff898ef27813ecf398f8e0ce3a3

SHA512
94f656b18fbfa6491e4f93be8cd8cd8ffe994e2542a9314e9f1f92bc8198828e52f76df32c1f6730736b1e4048bc6d623a7bba8ad6e31324a2d103247e3a4ab2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e5495be2cb912959cf155ffa4499f211

SHA1
39cff59aabd71ba4245a181b218a7fcb96aa82b5

SHA256
6078c0b7edf67bb817c944b39c4b9858409b887e3546fbef89b6b2d5f5398d45

SHA512
c71c35fde1be4902b68abce927680574314b1193d52bd68bdd1e5e38ec63a7611b2153875d787cbf1542b3a1388d22baedcc28722e1978f8a2ae1a58e4434d0c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9818d5364ab6e0fa1bce81bbac9feceb

SHA1
1f7b6c5b8e66958e174c80fb7441bab2048b7228

SHA256
df214ace612368dfee302de01b7d15f064b0f54644085f6f2e067a92d5d00458

SHA512
9c8c60d40cf5148edc668b6cb054dc9b5182287c72643402030fb09d4cfa8d9d72e0d416597cc8a999a58f009bd96144221667bf3502bcda21bd1ef620466cea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
781437785d909739c9fe1682c591687c

SHA1
97bdf7b595cfb965ae4620cde0fa56c10fdaed4a

SHA256
cb1c418e9c7a1041ae19ceefea1e2822e619e026aaa71d6e927de894274df20e

SHA512
197097d5b888dde01fae55cc468592ed8992ef391391aee09631b3110906054191586ae566d4d9daecc698e74a9b472226bfb3af940c3b38b640a97f22455a1f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c4eeed76a0641ea9fbe830ea83163c09

SHA1
e31860c0af4e7120bb67c9a533448415e2c56581

SHA256
e995c5076cb81f0598668f222ef867a5041e79ea6167c336507693dc222e6b01

SHA512
fc218e79ee8e18176e70edf903ac26b1ac8e4b0f188568a5df9c3fb53af135efd5e9d00dad05c4d942acc0c1343a86b5ffa6a4e2256bcab66016a6a272576f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
074be155fdf4544dd34efcf00bd7e13d

SHA1
8063bf05d83788e6254e7ebffea381f27e7aac8c

SHA256
85ac4d3d9f7a898afb2706ef992edaba1c79a47a1ab57a4885e547afcdd9f9c3

SHA512
ec374eaf430f5f5084fb690adf7158ca1f3ca09a35da869ad825515d2c78b6741d0a1d6439982d294f25fffb03577e205b5814b360fcd8851759706e4801e20e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
73293ac78cdd5304b442641267ef3aa5

SHA1
62b1eea7e7b2f82bc5dd6417cb53622f404dcbee

SHA256
9b300d634c68f6d11eab7bc5d02c2874c1107ecba1f6470020e91fb7ac41a248

SHA512
e1040b5123d744484c55993f20032800dfc8c5c6e075eb0b85cf9ff79c84ea2aa7b9225e94eacaf2cc304e14f0b08230386c9ce92e96bac4bc6ac558a47cb2c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3dbebc5641d6fdda7bdfe90f08f02986

SHA1
e763ffc4ff5048aa1d3299e30a61a616e3034cae

SHA256
9c08e71b83e76d1ac8ec681601d752610e0891e7c750ff26ee5876e10f32535b

SHA512
139a210cd63e58c7516d666985911d47647427283281085e24d32330d08056989ac05e4ed5c22bd2376ac5300315fb677909b71fe76749d1c4443fbf77be02a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c945b34fa1ed7b9bccc56bbe0e524595

SHA1
0494f1d2fc19cd0c0461e5ba32498b339ca1d8a3

SHA256
d1370c16f3b9c2a79d588773e1230e6c4557eaae36d17b16d88cb25eb678a65f

SHA512
60ad5d4dffd201aba3c8aa5d8103a2b41cf250c9b3a12f8e44ab2862778c4e620c9071659e10c72e6893db722970d4b17db4b6bdf70c58c58574ea3262ab0245

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cc3a21f3960dd1de50ebcec9bf73decb

SHA1
7279ad75e274785c5dd7b2353a812d53e0b9aa26

SHA256
8ac27734ade7fda7b36407c5ad0935fd7f449923d0a40659ee536eccf06065f6

SHA512
6b02ff1b33f93913e3140833e7eecf18fe4027fa62ce46d6c3fc01be2c3b06134421ad071a961d257e9509541dba12894a88713e2cf0fed745f45d04b933fb94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
74a045f7109071a0c1b17a9418932785

SHA1
b5417fe1722d67b9874d6f8d0309e38034170378

SHA256
902c6d630893c29c4a276536a981f0da9ddee141cb6a33e317a947860e165760

SHA512
4403522ddb4c1a0c1c4c428492fd396b54ba5e81a026aa5e1eaa5ee3265db0fcb638cfe24a12c46c523faab0a9657d6793805503aef0269617aeb6add134070e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e135c4dbc42cfa4ce760426ada06fbff

SHA1
bd05fd372b321bd30ca0117648eeba7af266319c

SHA256
e3e49fce8439c4ceb384dea761d1b2802f252627e85e89305950c6858aa332aa

SHA512
cc7dfd6c22b2d41e4abd62981817388cb4754b86b45f91f2ab0c74eb22c5c7bec42679c133c52c41cae51d820e9811722b4e6b8512e4235f1166ddced32923df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0fae204bf959a28914df19f088d74556

SHA1
504b187a04abd8a7b1eb69bedbb554b323124c87

SHA256
e520e2a8461d9dabd45ead818dbac666e09bc61fa3d5f6f0133c13effc0b7d0b

SHA512
59223170bf457102958bd26c1013d3a15fb8c8324615ad00d3b7dbe2d4c612d2bfe1edf7d7dd1542e4c1685ff06e8adcb94af307dbf75713232e9a664b61948d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fa0a36f9795696646ff3883e7afcd601

SHA1
20c27be0e8da724cda60f9081143de7b85c20f7b

SHA256
42e4a1cf753826f44ade2adf3c71e5b79eb2be7c14355c6a055598d6443f0167

SHA512
b4fad3b307ecd2212cac9d84cf82d6b44baa1e85e0a3b2cc15e64abbade7c266e7680ed5ae482648873350cd7134ea443ad6b558d999c16991099097a83bc419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7f287b10831757530dadabe7bbd5ce26

SHA1
242732adfea0495c2d2caaf733f1badd81951950

SHA256
41bc6e159ac0fb1c31c3c4c186535bc2c9947f1625c9b744746fe02fa6d09ed3

SHA512
89153a5c492bf43b25406be0e2a41dc04bbafe58834d0baf00acb56bb53463a2b6ce0632dee4fba08150450fdb183e2795ab34a562292554704691827c0931e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a309300a47e5640bf5654eb4c71c7d59

SHA1
80922b6ddcd1dc51b91d5693a0737d7a6bb4b4cc

SHA256
d5e7b446a7467d0b34417b10a603769f91a545a6ae10e28726b7e55763b32a58

SHA512
851e22c68af868d301b79ddaf0c514ba1ebc3c1114e47c561508ef6067aba4ee773829df594796c7012feda3a9ffa680208cd0741c2b613864bf180815e3498e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3cf7e11679bef972adb178bd449a5235

SHA1
87e0128af8b33a81e351471d5d82783cb520e214

SHA256
d80bead36b40206138a5f273e7ac0a045acc7f0d44ed209065cc982f7f5c9acd

SHA512
bc361d297e81a2b51ef3367e81691452922088ba74f023e800148e0dc285945fe3bfa466bed7eff2337315cb30757353ccef9aca5533c6e19f30875636fd3fec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
88a5218a1525ce261755c153e1309966

SHA1
5e82a7dba7caf893ba2a747ecd798563d44302f9

SHA256
238c1d89e89a62a46eabe61204392d19e877a9f535d5af02c3e4a5b4be1ed8aa

SHA512
471aa45e6bdcefe1de22e026f39cef412da6d4773c3711c144acf68e8aa93d82e870aa1e9fe04f98c90e934e4ef0536e6e6eb376019d356a7e87254d8e809a10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
136542d7a2991b697a150bd053a49a0e

SHA1
cd9e86d3387426b532d772c3cf28f082cd9845e0

SHA256
9a440617597da912be78b4a07052ca83417fb88aa8c1b8fd7a3149e96f78297c

SHA512
5412d3d56ba6bcc99c7148897249b5568e2f64e544272e8a84174d29347ba794ce819c4cd71ec72f1fee521ca6375880417067f597f8a222e556931b64b2b1a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
550539c3ff25a6d9cf9d42778f75c000

SHA1
1833ff9286d7a69b1b33c0d01796317486aa8bb8

SHA256
9c645366f5535ea269f2a9948b0ffa2b192b80b431fcdd6b3210dee9f374fc6f

SHA512
663b6dabd7b512d912b2697351635084923744b59326ad3b84da8a08f48cd47034edce366142a09c2e905b3ee82a04c04863d17616c7f14970667941c57350da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3c81c33812834bc7f496717dfd2bc97c

SHA1
84e7141cf52017eab96cc69db20e89d821499645

SHA256
98bbaa99e2f6002cbaeb40f6fece1d03781ff5e4b7b6aaf42b33fbe349a282bc

SHA512
6eb3b64aa5d507cdfe04019b7c2be92705a05a1554b089cd374fde1e4ff39d7a94b85bcb576afc6cd977da20ea899b081842247ae702e475d9af7a599b5c28e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5d0a4b70d34f60193775a75d3bee43b6

SHA1
168ec9cb39df3a8c8f288503f1b9d7ec458017ad

SHA256
26516173748087cf61aaa4a0339455a707aef6e5da01de76467ddc6e62e7c72a

SHA512
2d9968c8e5bdc6b520cdfcbde46fee4ae7dc185584715b228d0f92958a1903c93a08835b98b30bf461e399d868b49e67b0e622e10d932a4f2bf7ad877a24cec6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3868a35e822c726e4685a82f21ec9add

SHA1
d2334dbec89b6b23bff6114f40c4a7f7356a686f

SHA256
eba48f92efe5c471530ebc73f5f41b79b3b93c68d8b4fdef6b925e274d3b1a0f

SHA512
07cf4fc4a00cf7727b4e93b13dc96f477eea6259c5ff33dd18b7f33ff85063fc0c7292492dedadbc9be41bde7ce87981e57aae96324e8e0d71b70c983b8efabc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
51273a38ca2a8bdbb635cc21706e0e1f

SHA1
35055751e5935458a6428d6d208898410a8e9ae1

SHA256
99aaca1a471918c12a646830679ec6cf4536cca62b44a62ff9a22544488554ea

SHA512
324ad3f07db826a1547fa8989501d3b30af8211f3b1423cb8b07aa2752ec0044143f74aea6329d31ed3cfa7ac30a583818ab70ef888f23b7c2b691f747aed474

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
90c29a4b5e529f1bea74166f280c1f8d

SHA1
662c0a5069980b1b4c75df84f1283e0fae4bac8d

SHA256
d37a751fa79096c6eb0d5926d4d6940717d6333902f52d83fc0bc1c51c6c8b03

SHA512
65a9f86d109a753f3d30a1a4b7063103688b4ea737aa82b891381e8eaf99a07706fd785b2209b683838c02f41a8a9857c31afbef662511c97d05f967a36d40d4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de06b7fac53dcf968ccf3d47638473c8

SHA1
f9cd8d683a97b50032183a9795fbb634f5e70b60

SHA256
77a4fe4f941d9a3e40ccce5e9a0ca1ea3dbc20274bd01132c9ffc8572694a3c2

SHA512
c0cecc3a4591b7f60a2dd821089c0ee854086720cfd8cb65dedee1463c94e20b32b0dfeb22c70402c87195e31c03a2936f43dc70775c763bf8802dbac1550e11

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6eed5fc222db8de40e66ddb1118079f1

SHA1
e960f6fc44a8a9ffe50b39a698f36aca2016a51d

SHA256
48633a89554149ac3328fc5982ef1f36ea3906ad78e2262cdf0a3b18683c9bee

SHA512
dee4d008110eb7f679a67ccca17a110c00e874fe38f732714923eafb6c55099ba5390841761ed1f208a652b5c577c8e5a52939bca975c22df3c2aff94baf7ffb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6829bd69217bc0862886e82b7af8f2ee

SHA1
a2197630e4127fef9d9fa9e0fb63595c25d2b852

SHA256
c8f00a2ddb9e15c90660ba4714d9e1a6cd9f972d4ac920f757b37fbe399c7db8

SHA512
ac873ca33e9dbf2e3d704c5676b6ea45b71e88679d11a60267ae1b0cd53b60559dd7dd57f2c0ea5d71cac508362f130f99d6f92e30708f288c9ee07923347143

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9ed5193a30999f980c2217992a560096

SHA1
09ee5987fa6fda6d4cbb0bbba02638a5542f2b1d

SHA256
febb23ef7c17e39690c0642d03babf6767a0a47be1b21f9399a5708f17329a47

SHA512
ccdbfddc92cd1539cd8ab16629343b1a9398268b0e4f6a0df2138bbd40f1b940e5fe3417777a26cc632070d3bfb027e468b1493b4fb612161bb28566fb3bc25e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6d89bafb07d0b8cd635d4eaef1fa2921

SHA1
a29a39db6158a835a931d1b2aa7455dd4c363970

SHA256
800211608c485d36017fbba812a4c2d8b142d44cc52a5bb12dd05b0564e1fceb

SHA512
272eb032f1c285ea62e1d055ce60ad28fd738e82cbecce6bd659e17bae467db4f771b621fc078301ad3c4fda7c464259417a08f2c71b3118f4399dd7ebb8b8c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4415e9b830be57fe34ab610a91f5bcff

SHA1
9c0829f32b237ce9d88d0099037779bbaf72bfbd

SHA256
8e357f967192d6e60f2ea0d0f67006a96b856600afb5c8365f4e89fd82c52963

SHA512
ed02ca3dde1fe162ec761fcd977578e0b415471392200368a8ffb4b84c61c8e3b8e7d46add9190d2a045bbe081363e564325beb622b9ebf2f9b37ab056644b10

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
08d8b8322138ecb2f72aa952ffa24b1a

SHA1
45cd0d3c9fd3d81de47237d91a0bbc9d35bce3c3

SHA256
973f413cff96ec11ae7c45199b69e3163031dd6efb177cea26d8382b511ce53e

SHA512
4b74439eda5216c8a22dceebd6709e23f3420d5a94217cee79276782b81c7b1bec65f9cd1128975907428f37e5bbbd3f4ed237dcbf642a8b8620228cce2f3a6a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b76b185c991f11e60ddb0405578f7271

SHA1
a87db4b4312f63a8f9f0943ca28de78ecbdaa534

SHA256
826f29b43b1cbac736103ccfcbfc5fa19d4b8a3ad3d6ab73afd08495d496dabb

SHA512
b06438ae54c4a2f691fccb65d84160714bfa2195e5d6c8e08d7fd3d0b7346a584b4f4aa07b8ab07ebcee6fb059cf2a3179a0deac8f2766033994b09571cab4a1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7fc22c6aae9db8da3b934804b11c6e7f

SHA1
1329f3e45361c3df24bd2eaf15f6daae3caf538d

SHA256
8d8ab21bb3c4205be1a12f13fe9d1980f6ed236c397887d19e5c60e0efc5e2f2

SHA512
4f8e52553eb17be0de4b5bc95f81acc686e92ac7683d0ea3dbafbaaa806e1a918e9a197434f11a680fb02857840a1915349077b49a44e39c970aa2e4beab9671

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ed92572ab1c58cc32546a73b3dec4787

SHA1
b5fecd65cf0fa518407f3a7b0e73c9fb0af5ccd6

SHA256
df3d516fb5b996ffadf847f900fbfbc60ee6a614504e45475eaf8e8b832cde13

SHA512
075c9bbadaede678ee48b6214b97dc92579455b9127176cae80002652b82b7fc86414190f11cbb9d12be6a64e018ac64a3fe2eafd69c165097d35d1319b263a2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4a45fa75be25d0d9468352a870799490

SHA1
317db8c6322081f8db5fffc519e6cba3640a1784

SHA256
0584f72a9c31891f082ced38737c3662bc51d1c20c2303661e442e58bf43784d

SHA512
0d70eee84b7e7328230d885a3e2be128588a7c5749a00497ae3790511c419625b0ba9a2b19542a766f2787b5f74dbe3a540621c61e09f98cf97ea458d024305f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
417071c0b39e0f878196476cbaf89bcd

SHA1
a385198fdfd863dac04a80f1024c872479571c94

SHA256
f78ed94e8fc45b39f3e1781dd176427370a8e4302a4bae9db60ff503f98d71e5

SHA512
4b514dd54eab4d6279716854d792ce5bcacb8cb86c599a6e1ce1d843962716432f8f851b04f719523007ccd81501217d5217ccf7f32c80eb5dae5e504e850af6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
701cd18e7b0900dc31ff96b9f40a51f5

SHA1
f8932b69646219e95cfbfc2058685f3ce7c91285

SHA256
e25c09b4f5579dc76b2b1391a5c23486818c6a470007c3b4c80aca3bdb3c32ff

SHA512
0b35d16b88584e184af6e6572a73e229a1e55a52e93cf2b99365737890546c0925c4f37412d562d7de6e82543401817b0fee63b9d65c6f66be77631f8ef50f80

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
461ea9800d4fb4b8788ec2fb68e9829a

SHA1
ea715cc9d207486bb62546a873b584b19b6a3a6b

SHA256
4f8a433e5bc0b7ff3154fc25d9d843a958ffc73c016c42a36ed8c16bf4a4075c

SHA512
56dcf449d3c29753fd6ece587787bb3cb8d77e60040415e5590cebf46eb5979d5c588f23f501aa89f3a6bb951c4f5e5bcb443af654543ea8dc3eafc392f163fb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7876919582b0c1de1c2d0b188042b99b

SHA1
6d8f24c8d525be3ed243eb430d66046243ffe1f6

SHA256
d8d9231fdb72add828bbe3541989d0c5f1ce8147a85d7844b2b7fe64ea08bd92

SHA512
6b955669587135c13e0b39d4f97e39e671e85762204fd20263d4b216cf40e1cbeeffbabc2b1f4b539c4eb95d4f7c46ed2edac05e3b97cb14f95acf2f13740fb0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
433c1652e0204623779a5bf669ec0dec

SHA1
830fd1444c18b7bbd3811b29f5df098894065638

SHA256
fe4b79d0c9a1962a841be8012205b7a3255ff70bacd5e4b5fec5f52d1bd5b947

SHA512
02ad0618a8f9aee915a51ab0d12f2c8aab2db8a6bd190ff35ce65fb57648bd85e92a5bb5fef589860d35eb6f143b7fea56896243fc61b7d76ecd76907d3324e7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f47280f0fe04a3c7af05c22f211ea7e6

SHA1
2abcfccbc2cc37d61886afa32d5d738d4568c859

SHA256
eeb6f56688fef5313abdbde0129fe24295746da51ae382c1d54cca19207a5e9d

SHA512
515e748efea8983012b9532ba5131a8304406d7a764e5e84b107e316306ae8d276a8336217d258b0cbca9c53b28368a1b27224dc9e3a12f14121bd41f77226b9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b36baf11e161de45fa52e3a8feabfe06

SHA1
78464cecb3d3c5995893ebdb38f694a1778311a5

SHA256
2af054ed582d4ecc5b9162581e32bcd25554b15d9d463e2b6b1ac102c79b7038

SHA512
4d526a4395eb42a3d8ee22217b799e40e81d04fac56b028b3e505d8a598f361cdd14d1ab7202ec5f9b99cc9bad95bac8c88e8606d747e1bd295a31eac37feb77

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
eccb9f412e82122d0d8c41ae67ced56d

SHA1
2279e2906748a2eca740396955fab204778a5ee3

SHA256
764f0f344edb17e19ac0b3d39cfd1412161b053d1ea4ff02d2ff4569b5bb07ea

SHA512
a1271db61aaa368125546b0de2c849c494df9519e5a763e11ecc14ecc016018b53de5a983bcd6cfac509ab93ca976fe5ef940c860c071e921b9f24d4c71cfb81

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9f6525a397827e04bf80fb4b42364045

SHA1
dd770b3ebcecd90642b864ba9c43b266669e6191

SHA256
b12221e2bd52f665e6d8a20e0f4f51555dd1b61f35786b502c74b0c85fe78b8a

SHA512
10fa8bd79c99d03454c3489f978a62ec278fcbc443ae40d7aafec57aa307ce4891891c1312f6239fb9f8efd8f804e513f1b6adab0fad59763d02455fd51b358c

Download Submit
memory/960-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/960-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1196-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1196-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1524-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1768-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1824-183-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1824-608-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1924-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1924-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1940-136-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2276-49-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2276-186-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2276-55-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2276-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2604-612-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2816-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2816-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3044-36-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3044-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3044-46-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3044-42-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3044-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3396-602-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3396-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3740-122-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3740-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3740-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3740-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3768-124-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3848-25-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3848-31-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3848-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3848-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3956-80-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/3956-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/3956-467-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/3956-1-0x0000000000C40000-0x0000000000CA7000-memory.dmp

Filesize
412KB

Download
memory/3956-6-0x0000000000C40000-0x0000000000CA7000-memory.dmp

Filesize
412KB

Download
memory/3980-87-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3980-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3992-610-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3992-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4072-206-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4156-611-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4380-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4536-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4536-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4536-71-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4536-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4536-77-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4692-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-607-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download