290e1b9ec3562b4df16096a4efdcf32ea3391e7427e68f90cc33efb9c0280cf2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 08:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Size

712KB
MD5

03de3628f337a93f1989978680b7f6eb
SHA1

c348005a10c4fc48e81059ea8cbe318c81bdbd4a
SHA256

290e1b9ec3562b4df16096a4efdcf32ea3391e7427e68f90cc33efb9c0280cf2
SHA512

3958b72645db9daaf3e545005dded272c277c998aa18636805a2b9c9118a4714a8e6b09c2e5ea8a1ef91a8dd0b0f4ac05503b53ceae928204187a4d0f28367eb
SSDEEP

12288:vtOw6BaMSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:F6Bubl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4220	alg.exe
2832	DiagnosticsHub.StandardCollector.Service.exe
1008	fxssvc.exe
1744	elevation_service.exe
4504	elevation_service.exe
3960	maintenanceservice.exe
376	msdtc.exe
4924	OSE.EXE
3288	PerceptionSimulationService.exe
1924	perfhost.exe
2968	locator.exe
2452	SensorDataService.exe
4116	snmptrap.exe
4372	spectrum.exe
4212	ssh-agent.exe
3708	TieringEngineService.exe
4608	AgentService.exe
4576	vds.exe
2148	vssvc.exe
4836	wbengine.exe
3272	WmiApSrv.exe
1508	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4258d5e3c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5a729c724b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d59f1ec624b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c4c8cc624b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058f9f9c624b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e2666c624b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeAuditPrivilege	1008	fxssvc.exe
Token: SeRestorePrivilege	3708	TieringEngineService.exe
Token: SeManageVolumePrivilege	3708	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	2148	vssvc.exe
Token: SeRestorePrivilege	2148	vssvc.exe
Token: SeAuditPrivilege	2148	vssvc.exe
Token: SeBackupPrivilege	4836	wbengine.exe
Token: SeRestorePrivilege	4836	wbengine.exe
Token: SeSecurityPrivilege	4836	wbengine.exe
Token: 33	1508	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeDebugPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeDebugPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeDebugPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeDebugPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeDebugPrivilege	2264	2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
Token: SeDebugPrivilege	4220	alg.exe
Token: SeDebugPrivilege	4220	alg.exe
Token: SeDebugPrivilege	4220	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 4736	1508	SearchIndexer.exe	112
PID 1508 wrote to memory of 4736	1508	SearchIndexer.exe	112
PID 1508 wrote to memory of 956	1508	SearchIndexer.exe	113
PID 1508 wrote to memory of 956	1508	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_03de3628f337a93f1989978680b7f6eb_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2452

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ce164c9d8b6115c0eea28986b4c4e076

SHA1
76b55d42afc5c52323d8fb8908eab53ce8e3ccab

SHA256
305f6b429105474412bd3e902a61fb2e268a255178b16d120e4956fbef539cc0

SHA512
179d4a18fd708cbc7baa3ab70e99357504539a3d8c8fc6b27ccb3c99e561c1c10e1770a5dd337c167b9c8b33165318bf98b5e90ceb96b54781cd4b4667d83e53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
894ce7aa3d956a056c79eb16e42e6365

SHA1
7c4c6376359a1007c7bee4f7f265a0632042b44b

SHA256
2aa5a8150bf3c5551f4536b4e375c41a333db1f958f02c2b90a52266ad06f548

SHA512
56cbaa27600c7a0cc349161ffc97b10fe208477171fe9f5a64b64bc92ac9418bf6b84094f73b34f22526feaec8a87ac32c6a880bdb57dc3c5d7b2babd206a9c8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5ea2935ec0ca241367251c0d30d4ff45

SHA1
d6420df21e5f27236369d759f19600faad6eaece

SHA256
f3928a127c19620f356fb66598a22b8ad210787be72b577fbaf7a09cbab3f60a

SHA512
26f00064721c631efae361ef033a0437b6bd7e761f8e956b00f387f2b94926faab45c0fee90d28a3e681dc2c98235ce5ff52cae61b638df04afd6fc1f1758529

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7a7ce616a1f2f12bd75274f3117155de

SHA1
7b2be5629b5e9d0e768c97d1169dd4cc984ae4f2

SHA256
93318381b61c9c7ccce25eb4463463ffdb47afdf8207094b3fd4a27bbd8e059d

SHA512
31c576c0396d75a06068cf75c9cfa4c12c06dc1f13ce8b994c37b418d0ad02035ad77411a035698269da77a37afc00f5d5aea1ee1e31649a075fd5b114d82a5c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d92f04c7390e414154bf57b5e94b663f

SHA1
1cdd683ef2e47cbb10b1be9a67f008f2d0b793ac

SHA256
7ba9f6708135c73afaa7289392e5c39c1983d4a48dd0024c2340aba32b0ad5a0

SHA512
6565103f8017980d7a30d8ac4507d3189d15969495efe7c920905f29afece83f2b9146ae2fad6712c3d72434702e146bbc21e2a942d7fb15315634c69ef706a3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1ce2b9e730e7dab24a1909c9a356064b

SHA1
0683d6c910ea1c28fe1da780333f7b7268c552f1

SHA256
b84a765e742fc5e7c5995e150d07b73c12d2924e2d2c316167d422544e141853

SHA512
507acaea19e0878129ce95810453904fe9337a9d92bcf0a5e9ae1c4d7885101afc3b764194fc3a77d946a58b30c449a3889b2a6a1b482e3e996637642f7b2c77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6073f7b4c1b2fe7032813673a31b1bd4

SHA1
2cb302ce1e4e3a9820fb142e76ccf9867cbe29b5

SHA256
e2976073f75a421dc67bb277879fc25e51f9a03cffae9e576ecda277768a89d4

SHA512
99a6bfe24fa6f44ab401f0f5d0e246190504aaecfd803041ce405092e91ab052c2d6cf4b38b38dac31b430803d3571417f41f79f91e6e6757fd8a2df270c1049

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b01abdde7dc1e3c00974a5b3f91b23ba

SHA1
d901e207942761d786e5dea8e7b196b37b4bca36

SHA256
5c4ed46f7070624118d71c499e7a68dce24d7297138aefff674f3eb2aed2350f

SHA512
589a0d75827a211af52a984ef87ed5bf789e6080385ab5ca43548608af8214610f8db3c1ddaca1d7a650633a369fed57e1bf2e60237e74612e196028742c3d65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a3fdc2a96790730fd0818045e66bf8da

SHA1
1cc4067c8cae0179b0e2090b0add273925695172

SHA256
1456280d4ab17552923204054804827da3739a3aabfeb12b2963e385bc01a509

SHA512
ff95abccca21ae308391516fe600f1cbbd561ea6b04eff068975407d724196549bd4bf7af45ce06476b97cb83a4897e2931db88ec0e436f078e887b3b1b2f17a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9705144db06861a8bd9c11f841aa4954

SHA1
155c304cf7d0f7d5cf36b4f13518b94a845fc20e

SHA256
90ab43f2f5ae79b95f620eacb944b12b03986baf464719fec70b3d712435cca2

SHA512
b580edc5f79e50c7cf2de285ff514c24fbfdb1ac925bc25af41f25cd86860f534dfb2edf0b35c507092e34a6bb3bfad20e32b5d3a48d3148ebd2d751ddff0f1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
295abed0f69537e21f62a4e1f9b745c7

SHA1
23a148bd28a0167a8eb0b08f73fe5a244bd0ce2d

SHA256
7f6c449ba0f29434a042b22d89fc1ee656f2d487961601aff408474a56e3f7a0

SHA512
0ec434b2ad155cfd0aafe406c405cdc1de38af672cf2283e6edec526b422c4c6809fd3deca48bbc359ff55e760571b004288a9bfdaab34534cc655751df8b777

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fc66c634014f12d17f0dc4425d199c3e

SHA1
36975f581a83dce58fdf2fe5e16acb3d1d4a446e

SHA256
ddd094062bc9fa1240973f8eb79f7513d9d6dfb30c4447e1fcdff1a37985a723

SHA512
e73b5659cce3a7db302ce8c0c478846192644030d30704b664b2873a95e399b3e53a263299682365b2f31d4db6f16083b72c32d3a1bf60f4851f4d847ad92421

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8fd6eebc90890e44b630277425ebf2ba

SHA1
9b8c0f1dedefdefdfe830a4003eff7a25f570322

SHA256
0062489fcd36afa4c6d324104ea7007c4952f7b76f13beb50f4ba07d4ad7aceb

SHA512
783fd040677c2933ffb5c7d2174cdd5f846070071025ec1e017493067e415f230823f882daa409a20bcfa50b44917f89624b6ff7380874e630c2666c481e9f95

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9e6302c65b85dca5ff4f889a10645fa8

SHA1
62225d621c5e17aba2c70fec3fd0cb42b2e4e960

SHA256
9aaa243527dad77ccc553bb24d22967ef5d01dd9fea79808bf6a6ee3d3199edf

SHA512
015efc66b13e624bf39b6fd46ab463f359025ef5647cee5fb2610addbdab5b9cc8e66ed6bd5652a0eaa25a4f70364f702a944602faf729735e93ce637dc33e06

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b4f6c88cff744b4fccc30864d2f566ff

SHA1
48ea73d7a7b3633960a411d30c43717cedc02c20

SHA256
740dc6027106bd3098c00a21ce42a63b77d1f6c90ee7cb1790707a47262dd8df

SHA512
e07135d8260433486dd13343e3010e9ab096cf5d3a011fbfb1a008ecebea7476b5e4e4ea489560e4e8829d99a85f567585873d9d5c14c140a544f9f179159b1f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d6bb015f9dfc8d62276a67fb4e948d5c

SHA1
eae388adf9feac381583e333f792f212e9e2b5eb

SHA256
06b038247d061e513801480c9dadaf09c18d9597fafba38578997818c82dda87

SHA512
d922d25a618cc03b239f2f32af6e83976bec79557d780816768e9b8e8eb788f380f915ad423eb3317c77bd76d580a9e69450865a782fc7d6a93cbc1d5a37ba43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4787a6b0b5bb54566d955914cd8d8f9e

SHA1
2280126ebba6b974cf07f740d863211728c56e6f

SHA256
c3c2a72ebd709f2c436892992b1bd8230bff24325913f5257aa66c7d4a0ee054

SHA512
56254f0a62acafa7650f86466fa1cfa60c67831ad67fea1abb3f15af2c65cd76880c16ba20321cfa7e53d8899438f150cccc9195fe7e86766f4791173898319e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9e40cd88d95ffa71aa2bbeead31ad989

SHA1
aac1305d4ad9da2cd1879d8af04a47c836a57805

SHA256
222733c6d3314f0e00c9f6ff2b06b93f9ef7836b91c6cabd326aae28c58115ee

SHA512
d8e70710cf33f35d4943290c8700da22bbe43b27059f7e963954e750673793c24dcbffc25375d816963999366bfe127572758c950bf2c598d5d698f2317785f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3d7eb92c8d2a539628c8ce2b564117ea

SHA1
5f03b63a112d0c20d131314bd97ec7d1b022376b

SHA256
41b6478abc4aac58449ab38875e8d3f47d4608d8e24d611dff2a3f843a120137

SHA512
73bb3331af7192313a0fc6fb5bf927d6920b010dd436eff8960ff60cc48488bc98da75c5a69d8e27c226ba06635b8d392b8216b2b8503d964ea73fda74a55f16

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ab404729ae4bb03041811f38b177ea52

SHA1
ce1e364001ceaf472facb8c48ec244be74080ea3

SHA256
b42fed1895de151913db6bc2293d43e6f5959bf2872d6ac9cded8061a7eac132

SHA512
cdd763d4342eeddb0f96f1db01a44a8a4ceb95fcc8f60c5e75d8e836f31d00f3581c08d812fb9158432e2d720764ce59571029253f3c2f103b69885679d8f5ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9b3e204958a83e9dc47a31137b453f3e

SHA1
ccbabb20f41288d9f95e24ca108841e3d781b945

SHA256
bed9a79b52cafdbe25365393e37a68dca182c2fb3355d1868bd15f1e167030b8

SHA512
a316b87e0b3b85e840c73a8e2728631c5ecb09af73714feb226fdb88524f1450fdb085dca87c29ccf4f3ff279f75048e695aa06e3e112ea39ec96be793ea6290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
aefef7eb690e3e743adf000732321729

SHA1
aeb79b5c6f7e0e7a963bfbd379c69ccd00183795

SHA256
f032131c8d791b41ce706c0d16ef663eb9eedf65b76e03544307a37e355b4462

SHA512
e3d18b5368a925cac43cb5172f0fcb1c34d6852611eb11101a9e569374b5908b1f2916652ed55181596992f5f94bb3676c0853e2a87867985a7264324d171a54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ad306de378a1d22ef704491ed4519cfb

SHA1
3de380411316d537376b0d2a74154b3b8500cb18

SHA256
635c37bcd6bbd60a928eca6e658460b1c7dc5dd8060f12433361da1230fddc35

SHA512
c3098ea0515854332f4df8c1e63e95be288518c28d3729bd62fbb5290ec45e359154dbdbae2e0fbe27aa433359b8b09fd4e167dfb18b3f2f8f0b6f55d009e325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3796ec832ae1a1a187b40e05764e94a4

SHA1
008750d044898a0d1293f57c853ea73626425754

SHA256
5998d96daf8263c7c451822f4bd781ae55cb20c18ab4d26a04de6a48c6aa0a7a

SHA512
edd70c2a66df2e8ce07913dc101066c6b82d3b198923e8c4ea7c09ee4663193049c06af5334f4bddaf9cb8baea2e372f87ee56f4729aa47591f6d6702520eb14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9c3749daf6e8a89f59c372f521ddb194

SHA1
202ef9d0031c80b300ff99ee41732ba92ad31edc

SHA256
3bae35e205b9b93395c09071cabfefd901ec6870b635d326c99af14807861416

SHA512
07f2119aa4b7c63eb58d0966041348ec4a3ecc35db73ec90f8adca8670fa1fac879682ef72639a08d045a8f4cc43b82b35900fdc52143058ec7af14da778c04b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fe6e3135ae15ea15a7cb407477ad733f

SHA1
ccdf182a9753711a2f74db7e0dc28a0196201b06

SHA256
ae5ebbb1dbe48eb2d61e92695afb8a7bde90cbdf0488be0e29e84428ecb2934c

SHA512
298f61c1ff40e8fe06ac7216101cbceba5ff25e1a061a1a7362c21abf18713432202347a9dbb8a584452576645d1c5231a38434727eafe51b890ea9a1988dcef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e37c7b4d88312860bdcd036f28aca6e3

SHA1
3f6f6e5380e76bfd50bda12369a4e1668e63e84d

SHA256
7760f4bcfc4c81f83036efb20ab81b8388c15cbc0e91f7a8ed04b2e62cb5997a

SHA512
59747b4e45e3321c81c1624cbb98c0a308748d2374ac9a46a689f8be7e62c5db430dcedb703a12cddee23b30baee1e8bb182a56e8770d1ff03bb937447a1fc73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7aa9555b474306f437fdbf64e35ebe56

SHA1
8d3cc247ad235d64b4c276200adc8b5a00372a5f

SHA256
a9c55ee897263820c5dd317e647606a2a73c66b431e590b5a8eb20dee0f65fb0

SHA512
44bb919d43cee8299184b30bf0d06aae9d578630fa40ce68c437cd345440de26060c35f97521be17bbc140ee75745305f2d3e3c97ca3e78fd659b8e88f30b933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3db8a971ee00528434ad4393bc3bab85

SHA1
95a5f0cd75c36c754dc007e7c7e5dc6d9e61b9a0

SHA256
e01cdcbb15c61a9038e3433e9e04c8e146e27b7f88ec9d777498a6509e0e6d00

SHA512
d4ad75a2da3a80940b9ae35fe1a1cb90831cfef9498930a3a562b29ad2c5a0d6f89e0a4518cd2d9c0e1759e0b9c30a7a0b1b88bee5100163e786268e6c06cea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
33068a42835c40b72814579f6bd3988d

SHA1
6ff1a5ab941e7829050c90e434b583005b81f30f

SHA256
121c903dee95baa736e49520459b30bf6cfe57cff2587894aafcdd0820c5318e

SHA512
dbb64612e03d2222f70145450e8f303b11665992d6eec5d962a5231f20bfe38a13b4c10fadf0abfe89df68b3c04d298248707f2659673c55ad83008df6d6f8f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2076f8eca44fed03f867d42decdd68d1

SHA1
2c9e76028a2179cfede7b9aacc97bbe16d2f02a9

SHA256
bb538aa6a6947ab9386df081800ebc69c07b19a9d04ac719b60486df325d63b7

SHA512
6e3625a5fcdf3249afa171dbf3b4474dbd6796020a4b60894317fa5214775fd7a06bd13d46925abe28cdb398045bb8facb44d3dc683edce0928d71af969d5d49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4894c6b09ab8b77d2e97aa1b6aa46ccd

SHA1
57fe9782e24dbdcb58a3c3c649e06d1cd048f14e

SHA256
9315faca4ff579c91a5dae68db0d653ae34afc78f3802ab27f96138660091825

SHA512
e3fb4044d49a19b2c3ce2ea3a5b01c8fedc683609b87b53eb79eefbd114a91a4ecbfa32a87f9d5589bb41d2c062eee9260142c0a3820f209dfd2dc7528404d5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b15e1c7f8176af95f4a84aa68c24f362

SHA1
8c3d2bc50ccf231dadd7607e7895b7da756fc28d

SHA256
9194c2b89acaa906813b9bc14eaf927d2783a728933be6f12873e428b543d709

SHA512
e6f6f7777a07366732b1f26ea231e3a1ec9aee0bff1e67c6be0aeac33566cd23d9e56699d6e234b5c51b42a68c74cf68103309068c0b1a5ae3a47ff30dfef844

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
196a0867c999a1e69c839f76ddcad6d3

SHA1
2706d7bacc65931dca63c9e4e8183dec488060d6

SHA256
48c3bda636fb498763b78e86487886a94ea278db1359fe31c8d8f3f7c34c658b

SHA512
327fa333c9fa8292759e49fff33a477b820ce8f54611ac3f4c77372ebb88d31db94931a328d8b7b159eb9d816ab3386dcf07f3ec393af1ebd8aca068f00edc1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dab4e0aabd7b56e950a0523cf0d6a534

SHA1
b5d8bf11721e77b77e2ac6cf1d185a209e73ee99

SHA256
6e01466c72fe5de14edbbb306cb91be5773c3e7415b8b3094a96b8e7b087e119

SHA512
cf7851f5a7c81418409b6d2497880cea606996167e06b1e7c75ef35e4cb1ca6035bffcf4eed0fe5c14757facfc6688720d0a8fe2d7ac4069a3ed82ce910bbf0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
581e5f4176423b2f2c7ddf84d2667b11

SHA1
a582a37fbfa79cc856ff65d8bc03dc40f4ec731a

SHA256
d17ab0d726375d7951490abeae9a0cd52591cf486a992f0c525911eb19780868

SHA512
256625e1ce283503faab533313e1b102a3941a579e6b2977f4085c807c40e4be8729d07e18b7e971804094fb09143a929b06d49a7b9f1c742a808ec5c8b3d67f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3675235c6d5e24220e7178a5427277f1

SHA1
8d3852b1465a98cb4771fb14f91a95b9ad040d09

SHA256
c7dd0802fa960a094027fe432489c52f48a285b813293e60e1bb037673cb9fd2

SHA512
d385ad4ce578990a7ab5d15b3b15e4596455ca41cc760ee9db244a7082542fe45cde16b61ab8c708a5a0120a4408cdda431fd8bffda183f6d29b2a663152f5fb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d75757d58483a77147f92665dac64c24

SHA1
f7e75d3abcd238f71762912a440952dc71258fd7

SHA256
131d184d7e609add7693b54062c8716b8a0ff5833cee7e8fbe98ff291770a779

SHA512
672426ea568a4f6f510a2ce1caa185f8e1e1b2a5e23fd783c88d9b719177e38117e134e7efa2a60c184c0e259b8a417f5222d342b7ba23546bfc544033930b06

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
27f55d757e9d6c49a0c11c99b2323b68

SHA1
0a82f3c66b1707adc1e80953928de68377c5a770

SHA256
815177ff24389a9af2b77ff37596660e8e27190f57e429ce0d9f3a29b1d0a0dd

SHA512
f683869e6b2955c6b14a460a59054d78fd12d0d2d7e572a9430a1b83282d8fc08ac46fa6064978f19456c73ff3180fb84eb8c5b3d8bf14290766451dafe932b9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ed5dbdb05093238cfa385f5a84a974b2

SHA1
a61ee7f7cdee21eef3539898fcf3c5ec7af31fbf

SHA256
8b9de9f0b4cc91f69e030dea2b0527667914eef6cdcd5a989546a1a8da4249ea

SHA512
2e59a55d72b7a1c8c166b788399281ec85ad1d145d6b361a0af28451b3f05a594ec9a77a8c5fae2b150b8752b204daf9a3f82dd88d48b61ac9eabf39599fcea9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fb82deeab243d3dcc32c6827e304c2a2

SHA1
def64f9f2d8a5f54799344b3e5875cedc6934ba8

SHA256
f8e72e0d12e01afe30ccdf637b76148bedade158def73ce205309587f1a15b0d

SHA512
3cdf11a56dc9e9c1299c58b411201e57a06d5cd7123824178dad3eb995a0a8021fadba278fec8c77c35bf79cf6ca8d4840c511e4b2824bf2f518bc28ea9e66c0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0de2875fdc35fa5f541a69b0faee7fb5

SHA1
341d1a6912822fc4ba25a54bf6089f4bc1ebee3a

SHA256
e74422fb7d7519883d51d91f3bf3820b0e5a44a4b973257079731c83a96bc16d

SHA512
ac83a9538860bd93bea749d7414b35d9443828a5cebf8541953128c2f79fb16e89a41d209f688d125072aa5fddc9788e6b95d73c1666a909ec86461fd5602ed2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9082ec2f9a9e44567c6a4ab847d5d84d

SHA1
1fb2eafb2aec8ac86e9289ccd26cd2520b39de92

SHA256
4be8556c41c981cf7cc18dd7a02eef37ad49121809b6ba7d65ec3dd07a32a4b0

SHA512
03dd2f044b1b54d1ec696d8361f404c63d66534d62f179e6b8e561321354810464bcda1250ced60d5fcc2c322b7fd44adbd7404a8c78b26a99623c6993affd40

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c4567a2332fe8d75741eec80e9b6c896

SHA1
56da64fe12637369c010198a9a32edb43da6cd4a

SHA256
e4a1482b63db8bd312c0318646d212bc88004d9c38af03a6db3dfa337ef171cf

SHA512
ad69af1fe299acb2ca440f4426bb75bcf2e8dbd0b842e61eab1eed6c853d0a06d728e88bd26b0445b651d52ba03510e65e307f1b7d0b34cacc4ce323ec428640

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9586b7131685ae0bab80f5cd6bd78118

SHA1
00865958f3e999220cd090005d78c2201cd786d4

SHA256
d55f4c00ca7cf1886fc20dfff4acb11fe9aa155d7510653dfc8eb1176dcfa93f

SHA512
1a0dfdfc96f2c04ea5f6db11afdd84e5ca374d8408d29ba43468d1b154a8c4462f566cb5016e4f672e39fdedc4140ed5e5ac5f6a5a2ef5d19c4fed3894bd6c7e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
37f55910a65138cefbc711291e22a3d8

SHA1
a4bcd271d3b9e34d5e571aa0478e9e1b6d087268

SHA256
459593215139b780aac9caed1b54fbe27de2e02a882d1d6306089459c0b16686

SHA512
443a713f95c2f05a492f8c5251541b68c2217ca647bc4f1c868895b76ae36b2366301c6618d00e26506ad5337996fba0ab0ac4dbd4541d6f403d1ac738b3378a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
af43cc87b27123ba0dfef19e6a688091

SHA1
12bb978ec98e393e863f5e4238a9df3bd718dab4

SHA256
2d4c9df69e13b579cc3c2200d0200574e46a011aa6bbe8511797eb20af950e02

SHA512
c8e2208817e00162e45ca137c52b8b097c03660b38aeb840eb47c459963b536894217e09f39129f537d33181160fc75dd904c5b62cbc03c5bfc16e4a5e3cef5f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bbddc6098d80ca1fc0e9dbf09235931f

SHA1
0744127d34c9724f28936134903fc904dc242426

SHA256
b34ab35cd1cdac77ad477e8341ce22d15728de1b1ed03f1c8d3fef03922cfeb8

SHA512
db4fcd2595c7488f9429c2e2e7f055a770c687f0c0053a5dc314b9bf70f52585006775380c261882f05641bd2242d4866ff6f57d8cb77ce04e56071f0ce7e356

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5af38ed5ba10e7ba5764150559c7fccf

SHA1
4552a607f9dfa09c26a2c8fd2035083c9ef3fde8

SHA256
5bbda61e868bcb364f1c2a61233faaaa878f9768754f09450b2cab88e18db7ff

SHA512
592eb76fbf9fa316bb5305c7530135287a2c70ed568dce8b92d9261df1bcc9f84d5385f1994f5ff90a2cff2334a0699630f0857edb0ea34e5969cab0819d9c47

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
15e51a26a11cdd6df073ef41e7d9addd

SHA1
b194ae570fd864c85df14aa754ac91b05c9133f9

SHA256
63d8be968452f52c4defce74fe5050f46cd3ecd34da0795841b9956a6388c76b

SHA512
7823babdd419fe96bf0c2d36c9b86ce9093a66218ffbaf9415c9925e4c25b85ca24c7b029a09484f046f804e45a2dca712596f6df66bdafac8c45fecdd74d1ce

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
061e0145bc5535b2b00ce3aa7b31d02a

SHA1
7c409ec740edda772354149cd033ed11b563e9e0

SHA256
15748e522b86a535fc8e519c567711b4b04de293c0175fdf919ea43e0c629432

SHA512
076b2dbf405beff56fd585ff56f0cf89d5d25d340c21951db828414cac97d5c9d2922fc1c729d632393605ae3f7496b8b6535fefbadfd1c783a153ecb88f262a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
850bb977ad0b71fa373dbb4d3d78690c

SHA1
c9e23e064f94e7d33db72418936ae6e64c45fd17

SHA256
6e1f6e2e2d8a580d84a28d722f7d2472ed20de33d8ac115732fb0fc5c96a3e68

SHA512
b2ebb23f407a3c7f78786feda8db4cdc2ba74d05c2598002739fc7e1f66afd60253aa042ab18c64cecf0463b0f5f6da1b69bc151321d5a3c3c48a02fb8b07b68

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3880b30556e99c25e603b1c6467ca086

SHA1
d69b4dc2150a6516dc592fed131649cffdd93628

SHA256
349163762754bf250b0cf36a8820eaaad4140ae51c5452323e7b71ae99082967

SHA512
e8c97e0076baab807c41e3cf4b5b4c4a8ed9ee487a043733984d555bd7c2484f9ee799ea08abfaf3bbaac6ffef3b075a379158136cf09ace109b40cd709b6b23

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
499fb4352b6931c4cb767f37478edfbc

SHA1
63319dee0c7605f09b25fc941d861b1192357662

SHA256
1a94aa2c2da4ad7b79fa519d08ad6b54f87d390fe38f0edea0615211746401b4

SHA512
087c5c7c576589625023085b9c0cfd41e2037e55830201c08c1c465d8bed89f5468c5ba4c53249890482c54f2190ac6e9b6e9b18d54581130a88986f13e92a1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9159bd3142caec1cd61aec57fe7ac674

SHA1
9ebbc89505d32b92d898e34565e93ffe4ad762fb

SHA256
261a4ec600b314803936e7e9ea8cedc16aff0c2e645d76b23395b5a42e84081d

SHA512
8ffe84476408dd6dcf463f53d1ba82dfad13fe087c97dfd8cdd1d239caef25653d211a6bc0f586f0a73f57a78a0331224e8e6ed10adfda6b91d0d7204575399f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b24520dd04057310c69b07b06502211

SHA1
199af4340f567062bb47560e8e475750ebc1b6e5

SHA256
514c319600e3e659a813ed25e8a56dab957ebd1b66b13d54ca5d9cb7e9012051

SHA512
77f3346f70a756f04f7c09a894f3de02e03755db88bf049f436b8dec55ff42cb43c0f6fa15ce03ba87c3e0689560b0a0c3fc558a8a6514b1b85e4c6c6d432ab0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c9d8482abc673a4cb154279c1b6a9193

SHA1
fae3f2e5ef81829f9ffca1d85c8e5db3e264a413

SHA256
3ab84b7c8a8d3c636bd672fab03e130cee8e4aaba1404f80d94cee27bd9ca4f7

SHA512
61c2f31e41df2b0a9564c5aba58efc1e0f5aecc8aa0d48cfd6e9e2e4480c475456b92f82d5ad20194037eb813d9b3d9ccc2ecf2ad81b3720f38a5a84dcd67c1d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
87e63319707856f320e91aebc5cc21f2

SHA1
5633ad91ba3fdd5a49f6b2ab8d19219c9bc4d35c

SHA256
ba5eaaffa77da0a43f69d2c4ce7c773ecb24cc59607378381fd00677469a89e3

SHA512
5733ee6f201b7f3fbf188e9fc193341976465a142c9ca046141197664835404553db68f29b87c99eaf4f41df7abfc98e40d5eeb587a44ff63996841a521708e9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
175e1bd3bbf6e8fb701b2ea9b22f3fa4

SHA1
93ba5d1349dfd5802d030ee650749ebcac0daaa0

SHA256
11a267941dc873527f1cb027760b980d30bf3d99dae45665127f83c2bd1201fc

SHA512
83f6dd77d8d7101fc3b516b9fd4b71eedbb6ee3e01d90b72cc9115f50e248b074d7dd1d05d97f973fbd8382046df0739b9dd49787bf602836d0e91c93820c4f1

Download Submit
memory/376-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/376-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1008-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1008-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1008-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1008-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1008-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1508-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1508-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1744-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1744-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1744-49-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1744-55-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1924-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1924-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2148-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2148-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2264-73-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2264-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2264-1-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/2264-6-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/2452-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2452-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2452-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2832-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2832-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2832-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2832-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2968-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3272-625-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3272-256-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3288-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3288-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3708-615-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3708-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3960-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3960-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3960-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3960-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3960-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4116-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4116-440-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4212-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4220-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4220-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4220-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4220-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4220-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4372-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4372-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4504-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4504-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4504-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4504-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4576-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-619-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4608-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4836-623-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4836-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4924-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4924-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download