0d209077b64f3c146194fc1e4b25a8e66375844f76352b1e4e4b152a588011c3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Size

1.6MB
MD5

ebd74ab45aabfbe3fd007c65379eac2a
SHA1

966c71714de135a9bf6b91e39561d7b7d02287a7
SHA256

0d209077b64f3c146194fc1e4b25a8e66375844f76352b1e4e4b152a588011c3
SHA512

e6cf92b83719ce0ea6b1a2e833d1b605c1c2b8909cb813b6f735492573ab308239654c7c660b412bedfc0d1862dc22186df845574f43f6a2d5a41d11d58031d0
SSDEEP

12288:xtOw6BageSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:D6BJet/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2432	alg.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
996	fxssvc.exe
2124	elevation_service.exe
3296	elevation_service.exe
3348	maintenanceservice.exe
4584	msdtc.exe
872	OSE.EXE
884	PerceptionSimulationService.exe
3224	perfhost.exe
2152	locator.exe
2436	SensorDataService.exe
3160	snmptrap.exe
2996	spectrum.exe
4736	ssh-agent.exe
3284	TieringEngineService.exe
4532	AgentService.exe
1020	vds.exe
3348	vssvc.exe
2568	wbengine.exe
2420	WmiApSrv.exe
3384	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6419bf8b92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dd740e2e2b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064d95ce0e2b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000269bebe3e2b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5f73ce1e2b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeAuditPrivilege	996	fxssvc.exe
Token: SeRestorePrivilege	3284	TieringEngineService.exe
Token: SeManageVolumePrivilege	3284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4532	AgentService.exe
Token: SeBackupPrivilege	3348	vssvc.exe
Token: SeRestorePrivilege	3348	vssvc.exe
Token: SeAuditPrivilege	3348	vssvc.exe
Token: SeBackupPrivilege	2568	wbengine.exe
Token: SeRestorePrivilege	2568	wbengine.exe
Token: SeSecurityPrivilege	2568	wbengine.exe
Token: 33	3384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeDebugPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeDebugPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeDebugPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeDebugPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeDebugPrivilege	5056	2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
Token: SeDebugPrivilege	2432	alg.exe
Token: SeDebugPrivilege	2432	alg.exe
Token: SeDebugPrivilege	2432	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2700	3384	SearchIndexer.exe	113
PID 3384 wrote to memory of 2700	3384	SearchIndexer.exe	113
PID 3384 wrote to memory of 3808	3384	SearchIndexer.exe	114
PID 3384 wrote to memory of 3808	3384	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_ebd74ab45aabfbe3fd007c65379eac2a_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3296

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f5c638e934425a243599fac6ef4c9fe3

SHA1
4545e26f61bcd55d719136ef65dce645e4fa9502

SHA256
408d506b19fa9149d12c8540a0616a3a721a239dbfaead670fd79f2be2f90e0a

SHA512
a36c8ba5434b2fb062da66ea7a03879b463f3f89e338463a03985ce74de1e15ac83c52ae3522b69e197b62782a1c92090366f361506ed2cb6431d4c6a4a7f315

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c40b02b368c577b1e10fd37274ba16cd

SHA1
ac22831c69ce89a91b85e212c70e0edd7438c44f

SHA256
b700f7156e97d86c5a95ad65280544db219da39b660ddbd28710a0c6f6772505

SHA512
736473c24c4d3fddc4857e03f389af02602d72af2ea511ed33a731295db7a96b7466b41ce007c92f3b44d189f11de25e900b99a94e0ad47cf83d93fdc442716c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4ad8bdf76448fc16946404eceb422c76

SHA1
8fbf5b5308771869fa7d45610c3f281da53b07f0

SHA256
e9081999348a0dbca1fadcdcd777ca85836bb97aeeedaccdfe6d64295ea1ae4c

SHA512
f88955bafea1cef837dbba14e9b5be436447f2a6cdd28aa7acf980650c7bc84200be8338203055c8328cd77cffafdce80f834a51ee598e6f67cb63e37f33b105

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6c7107683b4119a824b6bab454e85234

SHA1
8067713345ee77c3c26e7b396ac145a4dc8053af

SHA256
d770016db5cc6d61c1b76c14ebb60251d899883cdfce8fd305f98ca05a8c7d38

SHA512
c1acc1c1caea35547e7b026e3f54948d605766d0b414b5ce32bd75b9bf64aaed331aff8671da6d067595b7cece3817360c14cd64f52acb1b57a2f80b49449aba

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4a837e343700878ae02dd21c1209de82

SHA1
eed08d8ac1595b997992e588138b44ef241e9ac4

SHA256
1e9258c67edfc888df258aab39458f4c1d237301f911fbbcdbc814af336f13a1

SHA512
e72a501e4379346c08b1ea33b0e542bef6021280a4434660e625b3bfd392f87d49e37cf0eee9bb3b10883f69db4f2c5280c4bedae87a0ab68777e813fb08a7d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
8515676b5fbedc82abf25b848c6a7c94

SHA1
3177b159fe3abd0756d68fd221fd34ba60078434

SHA256
364a195bd9faa525cdd5576a7e9d4ace0f0c214370f32c6687fde61933e58f3a

SHA512
8395a150c07aa54ddd0721e24d7fd10f98154ce83f3c17b6873c447c99ea6995524ba31defe5baa657f623aa4bcbe975885aea4ce531feb0cdf88203cf2919b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5aa613d917be8225b9d5b240e6993dc0

SHA1
ca146edbae3024ee0a52a8e549158758481faa24

SHA256
59250905db5f38fc23b836794c0fe4237bb3ca5960710860da97c459e99b6b47

SHA512
5c88f4255799077a994c61484886b9f1e3efe47944f2fa349e35f4c441f11f17239aa37ac794d6f99ffa4ce79692504646c527b85b70e2a5033d7116253b6e45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4d1ca56ef0a07889ce935b63cee3cafd

SHA1
2d6fbd31e7ed03f63271b04cd70aa48f46152a80

SHA256
fb2e8aa5f7e61227d4ab657b0e4eb0e1dc6386a0449e4ac9e6f84351f73e9af7

SHA512
b4bfd6f46d23c28456e6d2db96a4372fd3fffe4f8cd8b71d75949ac1439eea6a599d18322b265e4c1536b3f89b2d515efb2a714ad560b6133ea8b1a1f161512d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b36c972c86161abdfc5f596531292b24

SHA1
2eb42c98741fd83e3f534fe950998ba6d31b199a

SHA256
c950ebac4e179f7d999312ca88ba592c86d9c013414bd3ccc6ec08fcb47be280

SHA512
1d293c9732226d7332cc5f6ddf6c620f965fadc28380ceaa6491c438f3405b7abd1cd729068d0a9c50121a070da77c7772ec3466f32782e837a0808dabebaead

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5cc56ce185b81baec9796b3aef781db4

SHA1
cf6c6fe48aef84ce304d375ddbe92ccc967d51ee

SHA256
60b89a321c4a1be31d9320823ff7a0415db62dc547c62c9e7f5e8595e58d36b7

SHA512
676cf7361033e562ad2c53310293c09f3bb39465af52503ef4cb39a056f487cd319c77265e6ce7cec7f3d8e2a83a97fad8224b80d94654af21f5dcf5ac8c1a15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
91d88c94e312e1fa2c8015ae52e23ab6

SHA1
fbacf6eeb55e3d189c8561266f64e565468e7f8e

SHA256
21268205839686ed480811bb9f615d3da0ff5c92781c41925a96fc76cf59dab8

SHA512
50dbf4b574b6611446278cae776e53929c72b3436cffa59c53a18bc2a3e048fb6ba795e2e1c07a1bf4f58a77e2166428d2de1a6d3c1c7b228fdb146ca5ce299d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
42e45122dc59caab0e00713753357c30

SHA1
62fb50c48868d7cde0c0ea9655754bc54f6464bb

SHA256
46631acdc8be61e1923b47392142945b8c35494566ca4db8c3d03bfe82ee09f2

SHA512
9aae6d199ee74b62a047b42159f825407a3d27facb9a492f87bf407213e54e5cf67a0e6f194634c036c28cafb174290eb107bd15e3dbe8fbd7e760b213db7f44

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9c88dd0aca22e680d165256076fe5170

SHA1
8c793cb852f835b3e2b9e7d60c661a2af1d71610

SHA256
64b055e6a888262733c44a4df79c4a01f5ee7ee8b3c7562c0986fc26badbd05b

SHA512
78e13eec103d7402d66f8ff3b8bd22c47f23fbd324c37ca3bf732287c65163af7551ee8a9b5e21b924f76622a8c39e19b7c96e74e675a41ed56656cc3edb8861

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
c953dacfccc04c4407f08a73ff827fd1

SHA1
94afcea17f5595e5028738e3d5e3cf0f14f1a74e

SHA256
fe1e48406209f92486080b927a289da9a7e3f9212303f8f49db89bde358bee64

SHA512
2db339d20312c7eb917b5c2d700521d85cae7ec4666286dd74adf0e44f9e8ad5d47f127cc2c98f4cf661d180c3adc0f1572e24fc6072095bccb9a57a30d76615

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
14439ddd0deffd7bde73df4bb7686d70

SHA1
0e5350615e879ad7710a16db2ef920f018ce3fea

SHA256
5f765d8db7a77b2139a035974605a3c6ec879431079754565097cfea56d85f06

SHA512
02f62b5c64bc31c26a87c0de4f4f4943a7205ffabbbb9ee87497a6bf3d3f4ec0c99f9ad243f244b7c59e960200a85acd397cd19439095944d813e8c86d4ba306

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fde310353e65777142574b68375cda7c

SHA1
a717707e741e3500b3e2fd6f75df21282d1ed0e4

SHA256
da182ff24265e0d9ca3a4f2a5040a97c3976ece120c15b72513778da964701fc

SHA512
dfca8f344af5741346777328c97021083d5093f6966a0a5881a4620f51ceaa84351c76c45ab4e9b6917a659955138a4ab1805a8fa403237c6d39db7615a4137a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8b58f6b662befb25f01255a289302d10

SHA1
cecd933a86fa13c66ce0797b34ee88bb78297484

SHA256
c0a31b508c45beae7564c199f848c6a27ea92f8afd9fd3ddb6fed1f82f717891

SHA512
e32d128519f66bcdc0cc02afe884cb2ab9b234dae3b5a0fb303f60fe3bd7f6331e6b2a5c3b9ede4897558d81bf52289c8e3937446e368f4d369b00f8877ce867

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8177b90c0283c7b3c38a50df12bba6cb

SHA1
5cdafb092908b84155c4654f5dabbd848c52df9a

SHA256
edd9f1fca1813006fc84fd415136780cfb63dec6de30bf47ccd9be4dca8d4ac2

SHA512
74aa30aa7d21c0715aba55329c87b87faade54bddf76506baf59b62d50c4bb04a3abe9531c6553f0691c65d7c6dad125dbd21662c9d8037c0eace5bf3fb3a2e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fa21314061ae606fa8ad3ff5c78717cc

SHA1
f16b8fcc0ceb73506eb14211a6cb56d734a9b7b7

SHA256
a26900baa149ac7c352d1cf546749112369c8cd161f054c195f70b444cafe31e

SHA512
e5832ffba2555c4c6a8457ef296a4a0d40c775fbe6d4d7041356cfe5c10ee07658078e31b9de8163f11299fdcd8d9fb951cd9fecfc741741ba7be1154ee464b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
300721fdcc141a99a1f6814a1738043d

SHA1
28e5db91a45f19b2901c10d921bb36fd439e02b4

SHA256
d4be2b5ea3b2fd0d3a24bc790c80b77261e624e8b23dd5368a9bd53c699e607b

SHA512
f6e5084e2b6c4b60940b5a78db6bc6b5f7916d470e5f07b40bbf0269c566faaaa7c4d61dbaf6bc6374ac276782cded6edcc24a7b7ec6cc522aac4000d20ab8d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
846e2519debe350bed6d30eba642c494

SHA1
69e611acf98b3769269fde73a508821288fcb6b5

SHA256
e819db0706007bf130a16e8ff5e60f03db757e960f7695c2f477a0c05f2883c1

SHA512
10bbe402128a1958783317f49c0552120ed77245898288a36f607ec8533e4201eaf01ec8834af28f8af82d714ac69f944e6de93210e7c2e75f427e16306c829b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7ca622af3a277e698a5d2af3174daa91

SHA1
678ec9042c5f78e64aa3e0fa8a6b71976d22433c

SHA256
6db34f77d8ab04cc04545aa86d92ac20b9e81815d70f3d7cc017f2ffba654f20

SHA512
180d68db998f3c0c66e252c9d65370c729609233fb4733a8b01f61fcc3b84483882bf6551f3dd930c6f162820dc993ccea65f385853330298569fbfbbfe92a21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
cf62f0131d98346949bb009dd97ce009

SHA1
3fe737b1e2f9e158be6027d8fdffa28d8fb1a578

SHA256
1b83246ff4b8fba06bdf61f114ad99ff0d0ff49f85add80cf693d9e94ece5bba

SHA512
3fd23565cfe8259f695d64307f8847ded43512e5f5b77122f59594b481223f914cdb007289a3c3763084c7f21c26a78cf8aa0974bc918a4ecf0a157b0717c228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
92752c35e21d9cfffe339cac3390104a

SHA1
ad1680aee86289978512125291dfd1d83061dff7

SHA256
a19214beb56978cd527227cea4fb7c11cf0d220e7ed36b2fdc656a60ec808b87

SHA512
e1cba109ba30501e3d6f5afc4a92ceb3a28846fbc7c3ed360c8942f9d0d298a965491e08e2cb769775c111141ea5d8a5f084ee48223dcc1c43a33dc5ca2fc349

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2fab881122b734ea4b8c20a2d7614d3c

SHA1
dbc8db2134c11d15f97d778761bb0a791e66d105

SHA256
bc0db46286691af17ed03d237e1a47ae52254fdabf09e359277cf65293f32548

SHA512
fafd443a219b5064f6c58e29ec07e1bc2f78df309c2db9acb10383278dc00826c66e6b8d0a1a92db320fc7011cf632db260edd06f30a45d2a05b97f5d6276167

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
648adc4907367c3b72d320538d5e38fa

SHA1
c385fc6ea975bc9eb25b390863babb9354a8c931

SHA256
0c8497e432a72b385792a3cca99d509d7a5f803d5a58dd011724b542ed75bd3c

SHA512
7bb2160fefd5cac1f46c460571fc70ddb9c710476f918061e6734dde8224aaaaa48c81ccf2a3eab02747b0c1d6946a3614d6a1fbda4097c0f4030aee7ae41e0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
fb9ba2985c0f0a6d0c26225069e9ca5a

SHA1
81b1d716da4faa253ae5a5ab8f104bf717c0d533

SHA256
baa091205e5f121531990288f8cd2aa6efe578f9114b564295621a277c15d2d3

SHA512
5f5c87bfc8b21b31e9aa3be2cf887c19dd558b3da659b67410ac727c202a876ce85832c8897457092208b0372fc17c87b5bc789041a5e7e1afef359ce4e5f46f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
d1e5868b25603097b3c66e142335dda0

SHA1
c72b2710c6ed77ae5ad14242a905c9bd422333cc

SHA256
1262e81ab7e87412a4cb84dc2b426081dea0b266093331336903779d39e4d89f

SHA512
aab131f9001d2b6ff60006f5e66418e3ccbff2270a9dea0c09eb226ee2217525ec3ddcde8c83a0d36c41f4db77376e3b89ff7ed3920739b122bfd0265a004282

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
bccf7fedd6c81ae30ed44cc510cb5a37

SHA1
dccf9055fda730dcc3044a70d62279737b2848bf

SHA256
b7cfac119f6750160429a0149f40788c1b587dcf9985026384ab0f3df3c66c7a

SHA512
e7920bed91657aa70ada54b1ee38b77a9a90e3ad2ad0339143b884b4553eeb6aad3722a25dfcd46c80eb9bae510c0f54e3e85a8061b98cc3423677bf46bf5e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
1e98f14cd57c14a908e1fe44efdd4e18

SHA1
8ef9a707d983151b8a150499331dc8357f5313bf

SHA256
9a776f0645ad8013b46870b12a1a3cba682d768619a3083672654b01f6fcb4a9

SHA512
247da126f8df9f0168f57a2962ef337d5d7b1adf6f8aa915b4ee5e33d7a79c47b87c760425b0c5ebc844431047913e900765abee457e03a461905fc73dc810f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0a10bd0b8ba2f475046123cc59fbb9f3

SHA1
01e7e42877f75c90748ce0080f449034c1d21fdb

SHA256
2edbaf4e27640ca88e99b7ae650cdee3c6a5bb95412d395b2662c883a31972a1

SHA512
c8b2d04b7085d816017a17d071dc2d900617fcacdc64195367f2c667cbb5a4d75657c8ccde7b3905b2c6a3e805d50b0d5026f671ec52307022f6734f76b3c613

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4390f6f4a8268dc8ae55e8bbf571c9a1

SHA1
250e31f2c3f648b06b034009a9f523ad56e08f6f

SHA256
0517601870e8aa096eba8369700cfe55bd1395be2af47766ac8dd4f167666069

SHA512
e869d4880cb6f48f8e444434c6d790b0635d482fa5bc97a5b66e2c77da56f7e106bde6ca35504e32376abf0a2098a3502031894ccdbfc4ca857ce0984b690f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
6408b9739cdfbe34f6655f69fb81c15b

SHA1
8a2fd054e515e9fdceab54ea90e189ee6b465b00

SHA256
1fe19f5e47fe556b401a19e5b28a47cdbd51f11a975681cc9fe68444252ec4b5

SHA512
fc4a2398d2e62d7e0e04528384297ad037291bfe570cd64d0039d426349babaffb71dcec3262a8b3832216e5cb3b5ed05aa7a482731c7f09ab8fb7ee3249a4bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
d9bb40554cb7037546158220dc8ee2ac

SHA1
f25fabbf83988dbbbfc5e7dc5d96605349dce633

SHA256
b43c3fa1d21b0329fb84eb14e9b90e1805e8c56c7bb74453c4b946e1a2af60c2

SHA512
632db7f27e7c6b17737783797797aa059d821313dc3be9d45b0208867e919d1b287b5844f5d68acbf9cb2a2614495bab8aa65d875df593df29af7c97b58c032b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d58b9d9142d8e3178a4b552be37ed94a

SHA1
296a35e7515b270dc67dc1919e46f61f49c890f0

SHA256
bb17f3122b7ef7fa37ac855b091ae0faf4b213b8297c04b43a5fc7606f52e4ed

SHA512
a7b848f88e7186dcbfd56dc23be93267211d7aa7666e8345555de593827945c9c5bcafdd7ac2307233b0797e33ff820211a5f91d4d60915f36ee382052c441ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c237e8148aff236c5c6d19c0238c7296

SHA1
15b40a22e554e91c8ce6c592ac6e0090d8656983

SHA256
65c68b873d08218be5cf2132a3e35e1d4eaee9c9cd771d1324886e8b4604ed12

SHA512
c667b3325f4ba66f94c09696a4d733844620fc66e3a2c01fdb51b46693f3a141d1b6a3ab34c7bf02c853375c4f7bf3c59500ec931a595d4c41b05e19a544b564

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d58a656960c7fc4016ee4af1523c869

SHA1
d9c38cf269d5076cf367c93d4d141b119928a459

SHA256
6a234fff94730be8460850409994429bb97511b20aad5cac5cdfd7b3f37d6d09

SHA512
88739a146b13fe1c70de960240acf7e6ef9063eb7d2fc82eafb9bfe4a5c8fa199d07a082eaf8a4887d289623a7ec9d13f722a11ff44ce407f0aa866a35a63f3d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6ee9b1d6320d83206a21aaa301daebc0

SHA1
e79420bafd698cf4a041ec461396b06659e4fcc1

SHA256
b4b34848ad92cacad2ba1244ad6444eca6fd4f1a359ae5d1ec04b68c60bb9c4f

SHA512
b9cbbd995bd959efaeac3d52b01d8e3f2f3321b7e59ea228669a7a5453f704806d2b70fb83cf5b842059d60ed61f7b2c7b8623843300e30ba279a44333831ac9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
88069410ccd33d36b121707d9a84ac0f

SHA1
bb730e4a44d629d17a32077f3edf91780336ee93

SHA256
397715451e7b6d965cbedeb8fa9bfa065625ad9f54a1f37782fd82685fc9b0ae

SHA512
f030a0993be9c986d98d83ee1675277949159d50fce8298dd0f005c89030764329a2441ecad422dba68749a1007684970430c467aafec260f82990f32261cb3b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cd49a83b346945007934d87d84729e7b

SHA1
bd9d013055e032c58808204c894c2cf4d0fff6b7

SHA256
8faa66abbedcbdecca58378525a9e7887c050b05f6bd97b7262de1a59c260020

SHA512
feb3a529b5a3f539bebc97da014f0a58cd1160de180d579b5f11fe3a415e6068e4769ff29087d65056c8c0ee0594939a7b0c7b419307044de488848f547f1dcc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
108866d7bb94746a3613bfa9a28db120

SHA1
88e8d21f2da222bfb0a39e36a62b86f4afc44510

SHA256
d3e388b65dcea9aa56071b8264814a8fd1dd73739c9508ef2b093fa632e84810

SHA512
bfc209ce7ec0a30f3f7ab069f1ac6c3180da21abfa33313db86b79d4ab8973e585f3737309ea5724217fc94951dddc47da47be4368d130b72d37063c4ae5357f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d23c22ae0e0bfb181488ebf70808f59c

SHA1
eb9f038a52aa57a39eb9d0dcf111e79f295fcd0b

SHA256
9cdf0898d42ec5c1bcb5bf5873b844d461b714834d1b615574ade61d7966f914

SHA512
8ac2a027a3b943f72fd72216bd45a528b7131c9512243eea0d47f8bf5d198c725991073e33a6adaa99a222487a7b25a4978573446b6e7651eec52472817a5996

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
130af877c594d975a1820871ce2dd947

SHA1
80e570493b3232474d3f600c78f683be44b53bfd

SHA256
7622a29e25f0cb66902d541b15acd4792e4b421f1a14c250cb8afd62dae0b937

SHA512
a7e24bbaad24390d04e354c5f6597b92edccbe9eb83741d275d12a45b519f8e2c658cd72c1409786ccbaaf414edf3ebf014e415ccb0c4370b08df62441313615

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5b7af31ea6ae808ba7e21cf8f47e0140

SHA1
dfc6c68257f2162e3a5134fba433849510b6639c

SHA256
50df2c8b438c633054f9840cf5ae245777fde6f2adf734a9f99995c15a268e03

SHA512
635541ca260463017e85ae896ba54a14f13b0c9a989718a151564d2884f5f066c88030582e147f7d152b89e3e1b46f7049197a502665d993ad7a178d7dbcb2c8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
21fcdcd6ba62e25d993b1c4bdd362f78

SHA1
6ca230b32187e1e7f24b434c07dcae1cb8530d10

SHA256
26a9d18c38b1040d345a315141605e4b93823ef642edccc887a43f700cd2d113

SHA512
97e9844de4676804192ebbc5c10a4def5564b7520eff2b82fdd6a2337aad22b7d787ab40439e6f837097bc0078d42ea94feeb07f00199e49fb4fbb00fae42e1a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0d45a6646a2c6ee86013daa985848479

SHA1
d85b468da32ff08caaff521bc77d96e761195fef

SHA256
5912e6c202e8099642f443ad52eedd134f3a0da0f46e1f3169d3278aa62a1af7

SHA512
6119d4fa676d1e9a8eeab5efa65c79d218418736c4f7036ce6fe9627e03b25ab31fde34085bd0364580f1f7316f524770e0db4de7f3927c78e5e50bf43034027

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
42eaee2af11f89e41be0e78117f8d7ab

SHA1
c8f657350a17becc0a67f68f184304f9c413d8f8

SHA256
24afcd2eb5105a6e1201f59ede65a5aab830cc629eaa74618135a40708dafc6b

SHA512
c7f8f563d34584625481bb69ee06fd2c8f7072cc4357b248ef02b890837087467f8fb47df0205137d25094be728d723ef4c52d0415e5bec36fb47ea5d30dbac3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f5328783c369b778f3b82af647e3641b

SHA1
63fbe012f5ac0bf15507373b9e5b2b67cdf0f372

SHA256
9eeac6689fdfdfadc5b19998fc235f69cffc3289cd4281a00336faac34f9dfea

SHA512
bf689fd68ae622285180989f81e7b079c908640571ecfe1f2f53d379eadf52ee5d9e42f1cf0055bd9c9f98b53cc3f745b648136338df54bd21558e7c112aeb14

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9f5f99290c400edaa3f9622bfc688ca6

SHA1
9bc179472aee045ff8f0f2c871012f4e1965d7cb

SHA256
4cd03a88dc90f58d20e9b18e995ebdcf3e609aea7824bfb66ddb54164161a8a4

SHA512
8dc77b8766dc84df70ae258881de89fb0d9a75b335ecb61b8ac6966ce9d2ff625c442e32277d290663dc20727b5f0af97841887fbb95468b8be856bd7b388a8e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
39217a3d027095f50d6c9b62de714a73

SHA1
8200697e357eac88838574e92816392792d5363a

SHA256
8c2381e8a5a66a657fe799865520d51835cc830c85fd0d1564dfddaa8d3d5f57

SHA512
4a395d32b98d2aa05464f761d6a7124b6a8f453c4d03494ec357ae51ed96b32fe77091ca793a373b2ad143dfef14bffb90e04dc302ed0848f452eec38e5fb0a6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0ec3af4977241714288fdb9ec9c4ed80

SHA1
099a43260a4735a9b5fa33e45093b472b883439a

SHA256
a6c66c0a0d1c22c8faeeb8825e724fa5356302aa68c2484e9d9ada8d895bdc66

SHA512
78fc15e8c7d0add62cf836a013ac239411c1c23c23abbd9d193ea11a16d44e7a4c665d85a857f6e1e389e448e980b913249bbad4a12a5f7e3ad33e5934987456

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
add00db572c8b86b7cf8c7379f06c468

SHA1
2974d14b8e516a69d2ad0a9f0ef808ac20392130

SHA256
c33e89f01cdfc213d1204d1528e8aca1538cf8c070a72ac879a919e445f26620

SHA512
883ace9b6e1efd8869592fd9d6c71921d5930dd4bd6d668fbf495b146d7d7909e2e10b177ac58bbecdc09617e2557c9eb876aa4e974b3b7c00b902bb27e7a57e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
df09902e9f531ee48686c837616cef81

SHA1
182413f34080c3e54cc8ec7d83f5e7cc23abbd85

SHA256
d228cb8ed64e9a13cfbae9e5c291a6aee23c7be267d39a09627fca8e811b9f50

SHA512
8e77491455928a374c28ed1804a937991cbb214077e801a0a25e769b9433a5caf41a26a0c47dc17f768e148cf540556e3d1f5fa9f0d973980035738e37d9679b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
842d00e5f1a1d6b4ac9284cba3e51bfc

SHA1
aec38bdcc583ba65a910b4f2d452da160398be64

SHA256
7a5f25c9982d897202964ca3c854f0320fb00b9293f0aec376dc25af05fc452c

SHA512
0b8a798cb0c4eb8b1e1565d3b24222c80111b50d8e75577f817dcf00ac631e7fd682312b8fb563e9723ea2ef882792025305d3aeddbfe0e33b04074821321d1e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
75e62b94d640567f1172e13ea1757df2

SHA1
c90c6c8e6f5f56e8718106e0a1332d60468d749c

SHA256
145ebbbe44ce7ca13957e943d2f42fab746e055e784dcdeaf7831a732d27968c

SHA512
5f49e9314ec7dfb93f24257674b5d49604e126aab817aac643e10b0007d6504219665acf004e6ea3dd0188001ca81638fc6af4b33d75c87e763b17c322fbcace

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
00fb4ce5c25a9c563b111e72f3996abe

SHA1
8c1c8b3d6d4129359c7526e9aabffc269a77b00d

SHA256
0c9908f938c3969c6bc3171390f91d561148e635ae7b7060f574257defcfbd11

SHA512
1bc633a78251ef0ef4d7c4626c860ae2897fd1e1213714950209e49880b047eea6eac1ec25a21efc11c4776b2f07128513b688e043cf759075f3bf04472e3ca3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d72b62c530a6fb62a6e6c8c44ae52765

SHA1
d26fc24e9780f22f211fa01d5f9025b746cee550

SHA256
237e7d54285a13192317f69c8d9e8ea49d527927494225229d9b61ddc76c01c8

SHA512
8b43a4c78f560beca03c47fb9cf07ab218da897037020418ef54e702d014a89d2e281ca307e633812cf04788c1e5b006648e615528b27392fdcb6085f4b7ab4e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
316a28f9bcbe30c4acff3ecb046213c4

SHA1
eb165956ded68d35c4341d3130a9b6f7a33c62b0

SHA256
8c4a6191dd0086cc13e132aa05742d52ee4337271d1caaab51610fff00a70d45

SHA512
49d5973351b9ab4a848f129bdc763b6d49f1668dc471d5646ea1d6849d9928306a68df2f312aee6313c399e6ae435fc94476321acda7aa7ce44122564c4d493d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ad4270f766559306167454b833d7c1bf

SHA1
d4a2dd9a9debed43f944e784b5d71faa2f0dfee9

SHA256
1d435904757b5c184f394410298826df3640768397267799f038b180475b73dc

SHA512
d6916b3a88519cfdb1a42e6f86258bc01ffc3b4ae46e55d7a2137d691d26ad3c2d7029c39dd963f6e9d85b9d3f107a672cae3548e004b6f710800eb7f6b59a5f

Download Submit
memory/872-223-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/872-112-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/884-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/884-235-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/996-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/996-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/996-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/996-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/996-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1020-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1020-587-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2116-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2116-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2116-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2116-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2116-116-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2124-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2124-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2124-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2124-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2152-147-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2152-268-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2420-593-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2420-269-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2432-115-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2432-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2432-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2432-21-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2436-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2568-589-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2568-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2996-502-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2996-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3160-406-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3160-169-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3224-136-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3224-247-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3284-198-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3284-582-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3296-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3296-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3296-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3296-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3348-192-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3348-588-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3348-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3348-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3348-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3348-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3384-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3384-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4584-97-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4584-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4736-195-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4736-556-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5056-96-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/5056-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/5056-8-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/5056-1-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download