3cfe9c0b80fecb5d50c321dc21e37422eb5116eebb3aba2aca7d1d1ab130b5fa

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Size

1.8MB
MD5

86ac72728083b65397dcef8e420b283e
SHA1

cf6f98e5f6b184cf3c8a48f328c429de9083b8ea
SHA256

3cfe9c0b80fecb5d50c321dc21e37422eb5116eebb3aba2aca7d1d1ab130b5fa
SHA512

05ebf28e83af95ed545d64535b5851cb14334bfeab95f14aef4571d0313815b137b27c5dce2df4544418bf363ca5bea336356c3dc29bfaca7cb4f851481fc6fa
SSDEEP

49152:nE19+ApwXk1QE1RzsEQPaxHN4EjhMjSax84:493wXmoKQQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1260	alg.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
2644	fxssvc.exe
3912	elevation_service.exe
3388	elevation_service.exe
3796	maintenanceservice.exe
1592	msdtc.exe
860	OSE.EXE
1316	PerceptionSimulationService.exe
4132	perfhost.exe
2640	locator.exe
244	SensorDataService.exe
4620	snmptrap.exe
3156	spectrum.exe
2116	ssh-agent.exe
5076	TieringEngineService.exe
4548	AgentService.exe
1688	vds.exe
1420	vssvc.exe
1520	wbengine.exe
3872	WmiApSrv.exe
960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c30d2ac8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b3c4bc258beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f74834c158beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3e1adc158beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddcd9ac158beda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000186bb7c158beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016baa6c158beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c80a77c158beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bffc06c158beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebf763c158beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeAuditPrivilege	2644	fxssvc.exe
Token: SeRestorePrivilege	5076	TieringEngineService.exe
Token: SeManageVolumePrivilege	5076	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4548	AgentService.exe
Token: SeBackupPrivilege	1420	vssvc.exe
Token: SeRestorePrivilege	1420	vssvc.exe
Token: SeAuditPrivilege	1420	vssvc.exe
Token: SeBackupPrivilege	1520	wbengine.exe
Token: SeRestorePrivilege	1520	wbengine.exe
Token: SeSecurityPrivilege	1520	wbengine.exe
Token: 33	960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	960	SearchIndexer.exe
Token: SeDebugPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeDebugPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeDebugPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeDebugPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeDebugPrivilege	1876	2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
Token: SeDebugPrivilege	1260	alg.exe
Token: SeDebugPrivilege	1260	alg.exe
Token: SeDebugPrivilege	1260	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 212	960	SearchIndexer.exe	106
PID 960 wrote to memory of 212	960	SearchIndexer.exe	106
PID 960 wrote to memory of 3368	960	SearchIndexer.exe	107
PID 960 wrote to memory of 3368	960	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_86ac72728083b65397dcef8e420b283e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1592

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:244

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c381f01ad44f4bdc98432b24a86adcd8

SHA1
dd26b1f92e0ff1b25d2acec76767f29faed96279

SHA256
1803c76553c90fc95cff44b95349cbc13cd6452df4a84ae16816456fec5a4e21

SHA512
07d7c5f4b3080e20e5bd7c54c059498a0a45587c0425acc11211113c97461dc8c055c052644b0dc69a18570ccaaf2a7196fd8136f3da9a86cf8806b91aa6712d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
211ae408a484373f555e06459ba8442c

SHA1
f0bf63e3c6b0af1e1c1699c60e0668d66a09f252

SHA256
f9c807ea8039d1c1ed238c22e2b2fbc26115a1e0383be56d8d945904f94aba9a

SHA512
9a2eb5ac53fbf004e2dcd59bc9e6ccee75cd29d7e4606077958b859a0a4430f33222d6da172ac650a5b80b230efef6ffea8f77d0a4fffca6d588a5906fcab538

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
6f94e813027bddb36bf84c94a57009fc

SHA1
b22e8b46d8cbcf421099516302572bb036c78bac

SHA256
80500de4d0e36ae7606aba663023b6660a59f88c48d60f089b6a842ac4572083

SHA512
6d416e49c85a6837dd5d44631c503df7a188b63d2e4ced2604c6952ab67c7fd3599b7c8c25bfe27405de391c3d5d27722d8dde34af2aae353b0da8afc9d207b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c3e1f302aeea696d3e8f16e9ace499ff

SHA1
15321efb7414911b9bdf1fcf418e61d86107992c

SHA256
20f93beb097f8a46e9cf6b95e568a5f766ff9bb488d98df8e67495f76ef51959

SHA512
54960630bfa10d5159da81f7aa9e528930f1099475268215dd251649d4b5da45034df719aab4f32c7c6438b44536d675c704171575e99ea79acb69a92f8aad3f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
57d3bf3504e3255bed420fdbc27a083d

SHA1
7345690a04ef3a8dbed7abf5974b40df5d9e8736

SHA256
2f25d83ac760b6f06e8adc7221c59528b84af727c948244d5f893e1cda67cadd

SHA512
60b5894e412e7004617165ef3d7c7fc6da96ac10f36ed8fe93274513baf8825095ddcba1bc18fbb0023cfd3dd12bed85e0fcaf7d7e3cdae5ab749217adebab3b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
ad844e23ad5c13cb4b28fb7961ea258f

SHA1
d732140b6968e0f4c72a3fd1778dcb14d45cb58f

SHA256
da31928a1ed11d1e9364df40328736bb75d8d339ffdd0447d7d5445a66a2a72d

SHA512
65614f7f24274ecf12eddbe9ffa93f2c8a6510c6dcb3f6726b9061cb3eb37a30e722a75ffa6591808453e26eb10a1b1985d9f5424eff4c32b73e51e3073d8941

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
30ddf14a17fef92fb2ccc11b09e9c576

SHA1
4cdf85038af62ebbfec9bd49883d1891e1494c34

SHA256
782bf45c36c88220e60efcb147149af5f61162d5b50e6cf1ac549bd0b2f9c645

SHA512
b92aba3b212873138122c45167217f0b395053e2ffe140e3dfda838b1149d0b0a0539110c295d7ef4d6133692ad7f0220eecb133dc4c8fb9c4301f632c801da5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a40767acfba6e6d225e4d59899270552

SHA1
ee1a1713139182184a87d5bc77b1e5b1f3a3b895

SHA256
276b9419a7eefec823a2a6092b963de125f8d7a9b9ec70f2e437fadf21698bf7

SHA512
f57179dc2e5dea855be89545f53b50168e9fa974c11e75b687b20bd1503625743d2ce651ffc1a3e44d3ad9ea94b2b440673c846dc0a7b8f805e167f04c83b8ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
cb9184f6462abe4f88bafa69e412c46d

SHA1
ea87bf5eb31f11ae91fa29d894c36984641797fe

SHA256
14b2e30d4b12207e156280ec3f8a15b3be5f737add3f8df9f04604c551160721

SHA512
1accbd4b0f3ca4e550dc826f5de5f4c1de7a342cff2059b5b3ff456e51e61c41a6845dd530bb6362681df79f5009747d4fa57f71b5a92af7d598b206e0882a45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12c6d90a2f74905b550c0c4c663bdde5

SHA1
ca2bc337b7be1b3bdd7d3d50804ee065db1ad73a

SHA256
ec6f2f8e9ce302b4b209c9da79051affe246d9830b5247f8d2aea6b05a69694f

SHA512
e3df00abfff90238d856cdaeaad3a68f3123207aeac2509c39c783ed696093cde8c1efca2d6d7c2da715c8aef6e1d188c9fa4e60d123232cbd88db2f95759744

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
337dbcc5c9550d37fa9a2ef44bcfdf31

SHA1
f0e8ae3fbe477a6008226e65f48e1eafc5eb5998

SHA256
ae5f74b29671612c0b64ebac10803deec8a056fcc484d464cbf8bb3371126c7c

SHA512
c44aaf68f330d7c315ace2b1c9b07c3654b75a5cafca0b7d8fe3b748a651ed88946ad7f11b82b7adc3ead157aa4c6c2ec1128341a3630ad7732e1422b9cf7064

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1d19494ad8d82672f3455a17e79fc83a

SHA1
924971dc5aa6f5895741ee1dc97ae503a1fa590b

SHA256
b9a1b6ffd839e402caec238d7c3373ef6ed097d96a58381e5bd8bf117115b540

SHA512
1d14be581e0d36da6c2a151996c1fd052f87d3762dcb1d7788ac93f86a38e3a5337464bcfa40796bd1e386a78709317094736f5eb92451fc77b841f39a8eb11b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d1bfb9fcd9795b5fdb689a0eaec83cf5

SHA1
1b6b054b6609e9482789d385b949bc23ed7ea34c

SHA256
c59898b5b0fdc12e669441a514469476f3c2b28fd34499d1ead7d0d5c5274c20

SHA512
31e2eaa8bed5d47286042aa7fefcf701f3f6b6a935de90e2249b573e526a11a872fda103d0ed4b1d18659c238fc375b3c094e1ee59907a0bf71823a55732d05a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
71b6fb37c3017e6a56032259cf7a5b63

SHA1
21ccafcfdd64810642778a5230482e86afb28599

SHA256
a56f0c0b43feb66379fef1d8bf5508eda698b42daf2a87664da1389d93529a27

SHA512
44c236cb4abc5cf261bcf9edb82b693cf3c31d608282092e16e342616c91a29725be0088e30793095da517ddfbb465cbf27f4ecc328d04b52eb3b8b03bfdf9c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c468e9c5bc44fb5cb2029b4866591468

SHA1
68d32fe28d5c794bb49ca6f0d263706edcf9d520

SHA256
97ab2fca8ddfd765f9f18ba83c0608f7ea20bf9c79d7928b09f366b4f8369650

SHA512
c8753603e06af5c33c65becaf86ac44e6b9eb04580d749a6aaf19a5d4048d5d4c726e1dab8d6812b47d32366863a67b2b082e4168d233884618ba3fc7c48f96d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1ccaf78e4c1099d4ebfe307f788ed84e

SHA1
609fcfb516febb8f2b5dd8394f93587a81374a86

SHA256
82ef8f10d8a5f1cd0f4640ffd42d8c74cac97c8921528120f32e7f22230c3d48

SHA512
1e21ea3bdfe021cfa2dc7d960263933d9fd0d11ec90cb11f6487c0e245dbb306a1d25a7ff375001006d8b0615d190c606e5f38b4b9239141c78ba0db2c743513

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9a205e7b8ee884f3f8b1b7725a20c8ab

SHA1
7efbdcf3c90d86899659abedc0b1f10c65a38d46

SHA256
226f92e56b70caf35b74c2b69b1401fdfb70d197b5d901fbf4080ee11859314e

SHA512
0eee842a66879934e763a5071897bdda411f8c0da1a059a3c9e6fae4701c48b3f59c254d373956755fe8c698661f8a7e3bbf30a2c1c79283501e5e219462adf7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6e27d15fecaa39908c763da65916813f

SHA1
bb479239c8cef1148e515e5c4b60a242b6a2646a

SHA256
f2ff15f5e5940efdf010f4fdc54bedda904ea24e625524746b1848b2b4e6ec25

SHA512
46124cc099db821b779aa4b3fecb68d5aebfc1aeecd8611943efbea931d3b95da2d4885c99684c1ea759ab8b2ad589bb59a5054175d75274555e7287002bc261

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6cbd2f8af3f5ddb86b27357d02f6d190

SHA1
1faaef8e099ca0d9c5d0a8b0ccec365152f97f60

SHA256
bd3234ce3dc7d39a9a1110913fd65b4a6a54f38869b582c0fe600261ad8bc745

SHA512
c5ad795d132000e21f16e10b5a1b88092ab611124d4de0462e3227b1b9852a988a0d58256c64b850a36d213f135f14fac74949db297a3f4fc39d6c7b1e300ea8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d57d4414ccf0f10140c1283b4e400d80

SHA1
1d312b0569b42ba804eb045d66153ec01e95445a

SHA256
f974bb40a8caa455978d9f31f1cd8b353ed7111d901a68f90391e82f59277303

SHA512
2ca5cb81769ef2812ed4e682e4000f84351135dfb36f1ce90f61c98ab2a284439b7d64312e56e84cfc3b9eaee81cabab45de75ff36b7c911d88c1114eacb2be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
89b61e0a53066b44914c3be14750b4cf

SHA1
865967e6f00fccdef8ceefe3fd6735baffb7bdbe

SHA256
7a8147275ee7e838559c0e229fd29af841a1b8801f8ba793ee0a2a11edbbdc1f

SHA512
67e6507dc0000c319a3efe89e3c1e1b58a843e6124ae4a07f5aca0ee57dfd8e3edd58c9853f81b0217a70567c1493c924b504bf322369a4adea34bc00a5ae095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
ae93b1f77cb1c6bdc6f9c8cbc2b855d3

SHA1
aacaa368ed0014244fa13f682e3c1709773a1b06

SHA256
180c5ed91a8bb4522226e89425f9aa0bf88b44821218c75679fd6f112d4033cf

SHA512
2322978959c4c55e3c2cb47d2579f917c90eb0f73bcd0898a6e80b7c474f2d2a6eef6c7d0b036cbc238c980ff2f190a129fc49aa46cda907a18267ccfa7b965e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0a731e017fd03e5a930aa955aa06baf3

SHA1
614cf45a7b94262f7823bdfa936e797f7675acb6

SHA256
28252f58ee96732aa9b98a16b0f1d46e8ee0cf0dfb0b9fb597442b5ab8a3e5ee

SHA512
60521945443bad3b4b87ff5ca20fba92462f16f301ca2a23b37bdb7d56e4bdc6c1e67387728f59acb312e14e8d1933f42f1f57928bf39185c167eae5b33aa115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
84cd8a05d06782d6c971c6b530c30c6e

SHA1
c557d62199e91c35b1ff4eac4553993303822dd5

SHA256
7bc20942678166bfb3a489ae5d3fafae159737fe2fd409212a095d9f394e681f

SHA512
3e4c16a3c6f202fcad121951d6eebae629d9dafe6d7420963491fa75cc955a4ae9ca5c2c63871f8b367589064ae047a9ae26aa84cf47f6578b22c0fe79b39373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
64bb3ff5f47ec32048681b66ed358f9e

SHA1
53f548d83839646fa949fe4edc7076ed5d001c44

SHA256
0862d07f1f7ee651694f9d41890d7e0b2cbd3ee9da3ec99185a5a69de9234085

SHA512
fa6eb281d3b5e6f289d3beede5a86f275a07a77ac011f4ad6b55d892e6929c31ea63cdc766edcf7ea63b342c21d48134aea5c3ba22842e221931498e27113667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
922dba0098723babbdf1c1bb2d613565

SHA1
ee8542045747ae299e51bc328d580b2efeae22e8

SHA256
c9984f36c8447765f7e0e13069432a34b62b6a1d1daf57952e6bbb57fc1bdb4c

SHA512
5fd2e7df0f4ab695c17a5e368a8725ea7605563ebe8fe43e512809f39178d747128ca4d92cee550d29893086efbba4cb5ae86cc441c13eb81cbc7dfc7013e9dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
11c715b7b63cfa7abb164267f9cddea2

SHA1
b33f6f08752f5cfaa12a0f13b5d7d55f052f640a

SHA256
517fc006d656a805ce5171a5b0cbef71ca7edccaa889fad50bbae5fb6c5df0d9

SHA512
80fa7c7a79f298681946bf080b12708610a91d1159e26ba850d1fdd5ae797c5bff1f55d3e9c8740970a140977c299f2c840427df2b46645487a9fe5e4244d865

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f9119bec4bb401199ec954ea3211dddc

SHA1
67b53277672989477dda87972c9a04a25e253b1d

SHA256
3c04881bd510c8cf1ba983f2e4499d024d4999524d64379aeb5caffd9a41e193

SHA512
2fabdc21415f27d36af8a6d04c0599558bd04c5a347417ca9dd8279b4dfdc4d1f48807f977ab86a1232e589f47de8b6382f6adaa76132d621901448e4f33df2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
176346474e1c6716b337aa512851e195

SHA1
7324757b228b2b8bd8c8be0ed104946f20f6901a

SHA256
3cfe3b3fb2a14d7138d23d85519f7ad3f44ba2de848133061906696fd51b45dd

SHA512
625cc7540caa7447df09350f66002a4805a924c1fe6e6163bebf0ac4af3bb2ed23e9a35901d865eee7fac07dc7d2357a3304a9ed04f3d875d39fc2400ec6b7fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a70b4a061dec4921afda86af365a5c30

SHA1
5b52595aa45c870fe6aeea8fa0d23233917f9380

SHA256
3f10f38fb40dd92762afccc6e2261652b78e3913830fcf9ebb0ced91d19102af

SHA512
3f16d3ec98c066e94e4753a5e2f106f24b325505bad0eb352b766b9dc59c12c0619b6b697267e8282d9eb703b0b2f0415477495096a92cf7c5c1754585e1e780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d217f8f9d88606aa30badeedb3857a29

SHA1
ce1e3e85a1d232029b4a06b7dae0c67548653ddc

SHA256
a858d14cde30a3c030f8f3188dbc26617c9652e8b12d2b57e8078e82b21827a2

SHA512
6d5c3b99adc495aab2adbfd9fd658afb8aa5a8d8013d84a22adcfca8cd19bf191792946d2b312a2174c9b9d1e5c5513549ba294be160a5918863f28e8a41f7ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4c28735f2bc873ac0289bad93ec97fac

SHA1
69187553599baf9b03ab44c9a589a1deebaf0a37

SHA256
0fb71f3b3f1c7edc898ca3ea0c7026760139aea8ebd82c7a3dd23c59247537db

SHA512
29af89a5312ce3b4d3d31c5b7566c89cd58d06a49c06e1a8152a4c43403ea6a2a188e93da82557936f285eb436f3499866a2c576f5090949d264cdb65b4ff2a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
72e907fc4a498f499e10d19f8524aad8

SHA1
fea1c00a9621eab74a9c2969e839584e81aae876

SHA256
fa076d2ee4bcffbadbaf24e822a4e1783bfcd6b076a871e3a3f9677edea2907a

SHA512
4584079415fea18e493b84adc4aa6546b2221d77c637c8f9b4e7ec76b7eabf47c853f0c46a409082134a574e57ead2d6d5d25878d37998bd0b173cc34594990a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a9ecf4ff1535e618ab87ca29a06716b0

SHA1
a7c55ab967f982b791295c2fcd0da09369ee776b

SHA256
6df788e5febd080e7890cb0b3b49cddbcf341bf8e43c073f749021dba99c9896

SHA512
3d0b22e7971634349218eab8b08f2901091b62446b5afbae3a2ba3a24d0ad5618061a61361bfe8d861183bdbce7b17e1ad27e10bf3bc7681c5d99bf653fea2d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
55d0c400395341d2e0d1b7bc47d232cf

SHA1
b565b22128f1d19b50f3a9e7eab1ddeb83365323

SHA256
9b09394849fa018c8191ff834c36746eb3b6f42ba64c28f14638b781b8210ffb

SHA512
a755f2680ad35d004c5bb0ac2035f66f6013e13672a71e6740cd5909fe1148030b5a69dbad63b88e13561d385c6af257be53a8342b2e243857ca42a3fd2f7623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
f35e03ae1f0d522be4d66d0ecce95104

SHA1
6864ac6756885696e1f20746d3e84acabc024a6e

SHA256
3b59c80e926df7908bd7b8d26bf65428923497cc2a5c92f10396edd46d256fbc

SHA512
2fdc17f80c78ecbdfe3652dd253a580ec2fe500710d37068969b3879e6029aa819e79fcd48b06f5ecd1f3d83f80257d27fd645a66221258279e8119a49dc78b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e38478b03c4f545766bd43a7b98adaf3

SHA1
f6ac3ec598e5c6003a175a9f85509f17bdeba44f

SHA256
028a9a29d22cede008f199fcd67e741226239f2fa1397559c981ce21d36696bf

SHA512
2750203e8019ea2958cc0b2accbe95c0228616efc2424527c6b7a0b24959749c383a6de27f587697bca20caf5f965f9007e3d7189fe0851e6ade876b4d452a27

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3e0f86297edafbbe8549a56d6f724600

SHA1
0bbb578bee67ebe6485d0bec4b519c9ac7189b79

SHA256
a17558ecddbb7171cd7c27365ebb494c9b0df4daf5b722ce082a094fdc125dd6

SHA512
35deb4331932635a6aa6dda2f5b8ecce8aaf143cc9a3bdf38a40fd4a3d4417090e1b98ce81e534fea757a1c315ca1d1458d35efddc49840f42455e128a703729

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
e119221b60c3cc8886fb58dc27f3be57

SHA1
9cdb98076abdffb34759c765a83cadb2a139212f

SHA256
092d9df161f15414a9c35ed237df36eae91f80106ad134296f7bfab0facd15ec

SHA512
1248278580af2cf4e735dae103023230bb3d16aa3e1dbf800b7f262371e77857c9e1378229ecb0f61f49d70644a07184254860057797363678d3c7192029f653

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8c8acb3db5c45fa39cb7cf79e4a2dcc6

SHA1
c0bc903522840a2920492533dcc07b1261abc005

SHA256
e23ed9ba598009330f77616c88259346c473d1a17e6e2fc80c084503767f7408

SHA512
c8471fe5889ad50141965d3e69a16b38d32e176c6dcabc96576597ae2d7031895bf8cfdba1922cea8665ab64c3164bd9808b8d66071849145cf5762db1e82fcd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f67c7471907d18a49aed52171858d669

SHA1
0dfa95824f8ea3a48812cf38784c35fbf9c8264a

SHA256
19ac6c7ad51a97b7d14c5fbc49ef8f134d7fb44df86a06eb067b86a814af51a9

SHA512
5183a537c47a7bf2ce28a050903c3f06d6bff3caaa2801b5e1411dd1b930731fafea1d2eb9442f3ad91a5c3dc9569b755a565758590b15a71f59c0d6c72380c4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
691ffadfa9371ec6f928084c66a572d1

SHA1
b64d67ab1a47c4cf8f8fa590f3eda0f486502f0f

SHA256
4cc7c220894d0f5168e7151ad260b4417eec1893b8455a4df04ca969bfd0d572

SHA512
3c3b32be7e907e42777c169cf9ae9e9547416842647ec95d422762bac20603a7868b6705130a9c11ddf3bd090a77e1142d85065362bde870a6b32264efcfc837

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
22c398ca0cfc60b0be91ba36bb4b1cc8

SHA1
df280507ca164eeb5633c068b771489c6e7aa7e4

SHA256
1a28cdbd9b7ba1a98811cb21e857913c8f665329c94a46847f1a6fa9691ddb18

SHA512
452807d35bf9d811d32af80b2434f19ef4ad523d7b0438983a2337b8997216bd39ba97f80afcf95eda17b271a8d92e489c1b8620eec6a0d681d00cb6c3e8e37c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
63e2163db24d11c6bb0d06b8778fcb14

SHA1
77e173d025d2cdcb5e1c7fb39183f29683cc8715

SHA256
643ebc90666cc10d9f2cd14d25827d3097e88289d1705af1ed825d6b82133cdc

SHA512
745cc4099eab8afbf5d9af44d12c3792a49da99c187fd8dd9f1a474a8de6fe517aa876cabb78b9c1a88e3f058c4a4a37ba2cdbb5fbd0f46d8375538a6f71db83

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
27a01e7b2352ec9b4b69d152e1ee38a3

SHA1
676102d6b68a3102f7d1bf4d563fbc1d2865c711

SHA256
0cff026e570aa5e7a3fa90510cadf5f678b8de0688fab05763cd5ecaa7cc8c7f

SHA512
da4da5fc08d252ed81c226d43ea9cf6f0a4e4e28b78c0d7a07e38060d7a98417913ad55b9d3e1dfd1ec9088e75fa63949178df395ce28a120ae22b78e31198dd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
92064b74df28483624f4a3cf821eaf42

SHA1
601fe94c5657f2d83031b099985b24a331d6e320

SHA256
36a0676fbe815b4bea8a56ed65ac04b034bea225fccc6b62eda145d30d4bbc54

SHA512
e97f4964247b6f55cc36d8d130162bb96f075f42a43d11f5d80ff4add05e220cf1be977dad8b87a5b3c4b2500b5d0d5108c5a6f15aeac92281ac051dfb8627d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d537319dfb9976077e525c1776d9f38f

SHA1
2d71dd183e10f0074b50db18771ceb1e606f44ef

SHA256
32191cb7f2ca8c5c9e759b0e201f755d952358961dc53e965bb3b64528adbb5e

SHA512
521eab476924efd0ed8baf0bc118a1ef7d9ba505e12e5511b6ad97ed34bd950c15af2dcc79a22287d446c9c52b1ef204a143d9c338ecfdd89d0990be273c613c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
825cb6ee617bad580230f9e6b50e467e

SHA1
4af39cf7f6a0b1568970fba2905b765a9f07e4ac

SHA256
d8338bbb8d41472a52feec286a889340ed7635fbe11dc129704a27929e633044

SHA512
dd12ef52643ac2cc26dbe6a6f08607eab3655be2bab61b5199f65c3f61c89f116629fa431ca08c240f0be792b351f70e81d6b223efff4947fde8dc6f4328a4c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b6961fb8155730efac697fb0703ab7fc

SHA1
b8628f304aec009cb38a34ccfff5c1f267d95097

SHA256
cba8aca85e08b8b81be714e77f46252b77a382aa2469da595bae2f21d3b3f78a

SHA512
3acaa051e499465dee6cfd2b1917ee5f5a927f25cedd37241a9530a91c959f6966363fe9d53949ee89169b8cf2fc0f674477d6d0109da5a25991d5b6e2e9d879

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d3230aca0157b87d4e28c2f3c6a20ba

SHA1
212f6a41b66d261bb30b96da2e88f626859f5c76

SHA256
bb9279b791747ed46aefc4530be75102a19f535989378a124e781e1f357513a6

SHA512
90b759ae3359471c0bae21240db84f20ff7372a62e5bba40f2536207facdd00f2c2ea60619a725cc10b2f2343a4f94110b9ed84cb8fa41c0f921ecfe15301e1a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9e88534706af5872fbd0b0a74dcf4538

SHA1
0b1ed7ea3a4c9047f4783f14bb993891cf98e266

SHA256
9e81ad26a7eeb8e11e5d9cd9ac78e7548b6ffb37b52539f469dcdb55b047a567

SHA512
0471ed5adf2ffe74b30c9cc38a7670157cbf6947350eba93ffd3b96f5303c7b1ca444be561bf9f69740789dafaaf07b2e14996fc1d076f445d1258c014fafb6b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b2f4ae0c2acae834742509589e88f142

SHA1
3538896603e4e3ce8cbf616b3b19cd3684fadb1b

SHA256
bb0f78ca107fba4681e928813af6cebe562a677d7923327b9d77cc9c447bfcb3

SHA512
c02624193a6d3f497bcc4005b950013592d496009ba0c6c4f92db05b35b9a8020e7062f685481152370584f452ce7d4b554121c049803c170427955537ac51ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
beff6e2b29e50a3e3a78850f61346ba9

SHA1
6803693b02abc31fc21fb0e6802492adcdf0cf04

SHA256
b9281ed14d245387d52895ff71511560b3458b1b1c40a2498eca637b81bb37b5

SHA512
7fef6b2a5ebd867ae3cd97f12efa48464546063620522da8548b02c003dbb5a9c1ef94d1cd8aeecc24fa32e9fd6c2ddd6fa11022ead71a27f53b892419b3cf41

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
89e2ddbe6cb9f15e8edfed4d94cf2212

SHA1
35cb1f0fb29020dd875bf37fb225463f8e74486f

SHA256
acd003e8fd7eb6ab1d02af442b7743008295ae2f8c387764f1ffc598d04a0d26

SHA512
810b1bff529dffaee1cbc6acb28c85e5381bcc6aad6ad0f42e553ba5011023dc6ce19fa44e183cbde35da5b8a8f1d00d0e6d9458baef353c964a77ee2bb80799

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
726653e8f624cbb50cd176c690d77c33

SHA1
066676aed077703a21f5c1d02d578c7b2d21961d

SHA256
46ce01d36b265145f4efe809eafaeff3dc4fc1ad89da6bb24096fa1997259c4c

SHA512
cc8f9648c3fff5e467c1592b6b76688c723eca7c95d824b350a958738589233a6066730cacab65d0cfef7c8cfb57cfe93346abd8ce8b7e91d3e2d84ab56e32af

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aeeee52019c35cf7dfb8443b24947ac9

SHA1
4a37cc4edee63a9bd13b6f4ef75f8cf6637688cf

SHA256
35033d6297981ee4d8a6933e6f1482f93e4620b84aba99dd12005aa85515e435

SHA512
80c7aef06f73b4f1e4d0c9eea162ac29842a51de7335c66de737ecbc8e8ca4921dec7312d912320d2100495b38007d6ba7abee8a35fded5332eb8348e4931090

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2e677d26f87cb3c4bbd5d56c514a1b8b

SHA1
98aa8b50536858d1284bd752998b1b4ed5be8c95

SHA256
22dc4e80be57c71a6fa854da55e7f4223910cec3ded7571549f7c168244b06d2

SHA512
4c0d9a4c068db514d80960ebe12a80d64994cd93bc2d7f811416e02e79fd50d971b0aa05f97463d9ea391e5d33d40a299117e1f333311432412e9b0f959b20a7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6a0a3263eea7e8ba9bb2015acb625082

SHA1
c839c9899e70de35cc885baf4c40e9d7cbfacdfe

SHA256
de0c208f2540e7c5c80b3a2b382329c6af2b079b9ee4d12a79bbe1102f544376

SHA512
531a86475a082be463ff02ffeffda611f80edd3141beef5ce13ef1f554e2d23dcb9675248390a166b9f37f017cfd432fb0bb711100d7b92a4b303bd02d9e0759

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
1febb01e2e69c8dadb23eca21f765513

SHA1
77e8f141974f1573999ad87142a2b6ac9f991737

SHA256
23ecd851b2745ce4629d95ebbc306a56caef39ec97c915cd30d16a66b5d2d49a

SHA512
5e68fde12d66e715e5597b2b57f3a5b4c86e96e2b498e3e33d9240788fb9da18d7a8dfd8756de38111a9626b41419ec3601c4533500dbb0d3be96dd4d889eccd

Download Submit
memory/244-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/244-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/244-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/860-214-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/860-113-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/960-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/960-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1260-11-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1260-104-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1260-20-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1260-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1316-116-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1316-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1420-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1420-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1520-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1520-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1592-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1592-98-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1688-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1688-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1876-6-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/1876-2-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/1876-97-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1876-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2116-186-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2116-578-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2640-130-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2640-250-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2644-68-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2644-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-36-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2644-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2644-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3156-458-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3388-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3388-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3388-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3388-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3536-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3536-31-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3536-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3796-81-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3796-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3796-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3796-72-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3796-84-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3872-251-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3872-594-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3912-54-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3912-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3912-48-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3912-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4132-127-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4132-238-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4548-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4620-153-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4620-377-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5076-189-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5076-587-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download