0254b44ecb23316857073faba71ee0671a28acee4334e9d45c2f74657d2fa01a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Size

1.8MB
MD5

9144c94d31c8a2b8e540c333532d45c9
SHA1

7ca5178781a83f77eab897e11e292672c60ee00e
SHA256

0254b44ecb23316857073faba71ee0671a28acee4334e9d45c2f74657d2fa01a
SHA512

31a097f4b388e60f4368fe7f001f520e549e4485d40f95aacfdfade9c8f6608b34789e5b0714b3c64c86c14a79e0147a1d68a0bd4ca8d0b4b05f843ca156f88e
SSDEEP

49152:FE19+ApwXk1QE1RzsEQPaxHNWrgZ1WJlD2vmah:m93wXmoKurgZyk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4480	alg.exe
4652	DiagnosticsHub.StandardCollector.Service.exe
932	fxssvc.exe
4956	elevation_service.exe
3020	elevation_service.exe
5012	maintenanceservice.exe
2616	msdtc.exe
816	OSE.EXE
4516	PerceptionSimulationService.exe
3360	perfhost.exe
380	locator.exe
4772	SensorDataService.exe
3468	snmptrap.exe
1932	spectrum.exe
1904	ssh-agent.exe
2696	TieringEngineService.exe
4320	AgentService.exe
5084	vds.exe
3364	vssvc.exe
3860	wbengine.exe
3100	WmiApSrv.exe
4220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e18d0c791ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b81df65d98cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd47bf5d98cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e40bc45d98cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcf1a55c98cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d029696098cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002905b95c98cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4a53d5e98cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063b7aa5c98cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da0b895f98cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeAuditPrivilege	932	fxssvc.exe
Token: SeRestorePrivilege	2696	TieringEngineService.exe
Token: SeManageVolumePrivilege	2696	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4320	AgentService.exe
Token: SeBackupPrivilege	3364	vssvc.exe
Token: SeRestorePrivilege	3364	vssvc.exe
Token: SeAuditPrivilege	3364	vssvc.exe
Token: SeBackupPrivilege	3860	wbengine.exe
Token: SeRestorePrivilege	3860	wbengine.exe
Token: SeSecurityPrivilege	3860	wbengine.exe
Token: 33	4220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeDebugPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeDebugPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeDebugPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeDebugPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeDebugPrivilege	4620	2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1988	4220	SearchIndexer.exe	107
PID 4220 wrote to memory of 1988	4220	SearchIndexer.exe	107
PID 4220 wrote to memory of 4676	4220	SearchIndexer.exe	108
PID 4220 wrote to memory of 4676	4220	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_9144c94d31c8a2b8e540c333532d45c9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b5163545dd55e224ac00542324fe0c1e

SHA1
825ad6e4f987581646a0bea9efcba4cd02abdd2a

SHA256
0d186cfeffa11452e303a762acd77a20e280f7237982171df18627c2761d44b1

SHA512
f4c0237ab4ca5036927ea7fc92624ece9b9b05bfe981be0249367043af6274ad352235cf014214557b57d042fae22258131c7f848af2b43cf072389d2d5fd28d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
307d7906d6f3f2b3d9a26acb95f5d9e8

SHA1
d3946682a3981a61f52d4542f91a0e48d250442c

SHA256
5b6774ae03da8618be93de1ab5463c7c9b974081d3bf30974b7df22de7d5868f

SHA512
2eb443bb2adf7a661138214725ade83a4a174e8ef8f095840bfb9cecbd4fecce73d56a9d774269a8a1b2df0ccf53c97828a8f6a1578a2488e3ff9d9b7a0df28a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
29e6008daff5624a45f3bd038f5c8ccd

SHA1
0fed5815be8024bf09c7902b126ad8e764f2f3fc

SHA256
4d4ac1ed266e2f58f44232bbad10c87639bc5f349ef75ccf60265fb87bb41bd6

SHA512
d3665dc37f18f997e469e6f24432d264155e1dc5f92a64e152dbf4688cd5bf11380056ae225b038f6ef73db3bb8059ed7aef093460cbd5c3314c7af91cf5b7e7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ea2d11d3ef87b68cec15fe0da55bfc7

SHA1
2c3da26c58d6171bafdc83f0f8c598d470ff566b

SHA256
a9e47316aa0748a52aaaa1004af4582a8bfbf75cc96fd9d4ce212640a311fd03

SHA512
d86ebd7f6f9fe57c4f3407aadb7dc3220f60f6fda6ca11e82bbb8deaf941b5b1f2508c5be3489fc1d79bf8934110440fc9b3d29f601b42760823fe34ef7f5080

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
934de814e235a4241c9fbb33b1e9ed31

SHA1
e230ac1a13a1e416104734c7e5ad97b445ddfca2

SHA256
4c639c20b6cb4224c227d6a99ca57a5078e8bef802fcd8c4659a6abad51b5b6e

SHA512
4ce30f4e463e01384245cc971e257c888997c0a26d383ce1d00c9acab2118b005e75b569a7dc16f6e9a6146cccb4aeb34cf69fb32c3a1a52a6124563963b12c4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a3f86fdea9c3083edebdb34e98e00ece

SHA1
4e42937d84227f4329433c13911895b79ee215eb

SHA256
f307373b50b89fb48ef6bd1e5ad793b02253482c17c5312c9712fdede768b097

SHA512
9974b7233934b2b2cb2b3297b21e4d2017ab32a542fbe6b5da413393abd6b5fc776f54f26fea5d4b5cc1e71674cb5e8acdcd19327e2ca65f8c8253db19e9317a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
aa768f4af23d837e2b782028f17f9c54

SHA1
dea97b32400efe1c8d87fe9ba7a976c568f46ad6

SHA256
4a4b6f60e9a3a0ccf5e0c14823c8e1b5d96cd5b1322b5d80981ad7c588e2668c

SHA512
e74f89a1ae19a57473369903f2b65ad83c69e8d64b10f137bd779fe1e72d9ba4b361b6ccbe9e49c9b172b2829410e1bfe359704a49e8ae8acd89d3d5a10d401c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
03a5b99ec5fe8036fc9769e7b22c9676

SHA1
e03b301046b4150eaed3bf1632d9eb2f9f5e66c8

SHA256
43675b0137ac1696fd1a25b551199004ebeb32f453c5b8a40d3c5b71e4a47fa7

SHA512
0a8a00a0c011b0454e46d9ef7c98852e7b91d1506e0072764d31c8baa837f22d9b4d40e163dcc3656c46944a6f202d77d57143635ba12ffbdc4089d9fc50cb90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
45e99a0df3d8c6cef2eca8c39004bd29

SHA1
b66020e5b9ffd9150904b627951c8ac026439688

SHA256
edff8e6dd5e3ac60134a69c68947670fc39b3ff5efb955c3d66665b06765ad25

SHA512
4b5a031f3193d7b196cf95f9ab4813c93f1355c62999059a54a2b3498d49b933865239fd81da7c421eb27f6c8e51d3204f44f2b6680d0444c374bbce4f2aff21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
eb703ff39292bcd65a23b17093a4504b

SHA1
4dc258b8dcca80e364e41fad80f2121fe41f6a8a

SHA256
a5d61b5a1f3ba2dfc44aedbe6c933f69ac18eb96e026a9dafb361b624097784a

SHA512
fdc3a2cae155b261bf50989037a74396d1864d06149799448c5c73adfd77f14ef9937c99ac436f780e3f9e8829ed73b605ff152705b3bd9a93f00ee963a38401

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3648ce93915786e413211c440f98474e

SHA1
38edbeeb94aac811973f90224da85f143de3753c

SHA256
de560ec9db321b07374cedec0264039db62ccc415344623e6108db35f6f6d768

SHA512
8a22aa0256f156ab916ddce191e1ebd58a040dd63d639b18ee452eb0e350d8c209c026bbea9c3f2cbed08c395793e774749b55ae5078694707725e19fe89fd26

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
516bc0cead8be43562a08eccae9f010c

SHA1
6b3bf038040666bcbba87ab2687fc29ab1ec3eb6

SHA256
e2f066c29e579622b6af5ad9a3d7ceb47b42d67f0023b5678dd2444b9e083148

SHA512
e2e2f4bc5039a941796f8f9a0c9cca532192f81d54d751acf25696ec628b69bfd9fbeda5075e787ef0e8f81c7d0796801daa16355bd5360425a4d7956454fc73

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae54e8b43208e47078918c130290ee51

SHA1
413a704dae629bc52cda996efa88446b224cc700

SHA256
c9d492d5f6ea6f73ec1e53c0b06ad6459bbee6889ef338d5b2e0f4f6cca3ed04

SHA512
7f18acfc4677720343cddd206b0acebcc089c7d6ab001cfae97f4b6a23fbadc028a8a84344ad0df6942d0bd4ff4da5501bea4f9b3264235124a86f840042e795

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d4ba800b46167d5782bf3a21e610fb40

SHA1
1956df203f9c9020b397d05586eb7754d6ed4860

SHA256
800d6566f59c59f5a898bb1e06115ffd8186abd04d7ec4ce641dd8197d39256a

SHA512
090dede5b8441d437c5ed313c38d302ba812b8a6025a454528263a908663e3e70d61c13d7e901a3fe1461539f9de576cc2fefa8ee519fd1683f404812ac25a3b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f0d5a182dcb913ef1393fde5c14972b3

SHA1
efe2ad6e2e324a7d49880b291395a8128d52f0ba

SHA256
63949e766e2091a7c6cba778f4514d0f12c91ee2b4165c6f63473f3251fe41e7

SHA512
f77d96f986f1d08541466ce91ad72798ecfb842e7c551ae945d46fd6bbe78699d79715749b4824d919363783542807a4e9d2cd1d687fae04371d071564299cf1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6f88331963529cc8ed626467ffc35d1d

SHA1
b1325e1cf93cf06bd6840ee3812d5a37c899f1a8

SHA256
a39c054bd09a661580a89d853fef5f942d5e61a2b11c0b9d84bcaca0b8cbb389

SHA512
d8f9037150f20d6fa89a9c4c304afffe17013f79ac8d3eb598839774c4066c4a261863ca6e7c57f50d7424002cfdc44b78d9277d0b392faeaaa429e060cbd060

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2dabff774ffa486fe203f00c0bc4a810

SHA1
63c4cda5b43ad2873e0ce5892053253592d74c7c

SHA256
7949bc7d28e7778387868e8711adfc439dad4e8bbddc87fe2b7dcc7735586d15

SHA512
99bd21fe5f608a81df8ac7d09ce961d4ab26a5b0b07c64947fb53b68bcd907fd56fe5b07c3cf6c5c580d6c8232a244cbc6157b0bd59de810e3feaf92a3f9da9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
98df27a67833b0cf4b44ac7baec37eb2

SHA1
33b700e964ecccd4025e57df3be1d527d22a940d

SHA256
99d8a0206e415926d9b9c0c7de6c31e62165e17daf1c899bf4c7f8b9a3c44449

SHA512
0c8cf04a6600b2f1349f5ac2f411655220b07abc1979e90e2a94102852fcc66d5d000480c63cd154f3e7a591a5e20f5bb7e07474127b3917cd395e73c70601e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fe79b10087a4c1e53f1a933328e7c6f7

SHA1
1f5c40084d39608a10ad60712a43e435d195134f

SHA256
688cfe9ca3639390211c322189e3168df9933931824847302fef8f1dbb1b8a7c

SHA512
0fe2503dc693651fe80217abb0c15219eb0527bf1f746d8451774855a0a7e00adc4f143c34493ddcefcc7544866a84f6dfa5aa5b72c5ae210f5ce49ccc70170f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e3fe5b1e8627396fe792dd5492ded86c

SHA1
d9e505e3323b8bc907ef239d984acf99e443c61f

SHA256
3d2b10bbc1ea6c437710fa4265b13284fe88b52ab003d2d4d2e5796b498eeea6

SHA512
b9832c9b516a1de912941d4911a5be66ba6c60e02c92d568e43d8622b013d22a8a51239ea228c7df6b8e5ecb910e19fbdae349672fe11d0cda63aab9faa5d38f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
92b4becc5092b6cb3f8e54b5c48ae730

SHA1
7fba24f95166988ddc64acfcff37399cfd8bf0ed

SHA256
5d8e25346d2a139779eb342ab33a0e9ee12c88aeec11f022535b131acc5a49da

SHA512
91132911dcc036f3c501995b323fee4e8d22c7f7a78e7f63f63fe69fbbd9a76e7fce21ebfe9137145f266e2143520e23416e9a2219c53478a69b2363c1f0a480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a7493b844dbe9081de06d9056bae0f39

SHA1
f660244626625d84471b3798217948551d2be7e3

SHA256
bc5554fb55fb8f2378f9443ec4a8b8f9a250af07eb967d5bd7f1099922cf0fc1

SHA512
7ebb0e770b66497be486650e5a019a17e030b21d2d13cf4b3ab26f6cb26fcdb7b7d63a56e7f2fac7d90c8ca05b378443a6e85f3296c917be8b0f7c678a02543c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
28bf8e0b19e1d5ff98c97aa1a51d4d70

SHA1
158b615532bae4fed39a8600131154827952f9a8

SHA256
8b077b3b126019f9c6c3d1c4eae02ddce4cf5910fd6843f20299d93d1b315619

SHA512
6bd7fa4211926b81fe918ab89a118af3caebb592d0af59b1825cd6614b058d7eba866e8a116f3ab03697722f05e69fe7a9cf112d307b01a28878c6372363c12a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a2c4bf9a5a3f859bc6839d3ae28f3227

SHA1
0eb4d96a79a58b08474faa725fad773bcce47700

SHA256
67c70ecc31bf870ff200572945ad73fd35d52a43bcba0426c40a7f86dd8c573f

SHA512
60a486c0eb175eba7ffc50b47edb1292214f431293b9b5b87ac3b7271bfbf8cddff6f35c09aecbc9876417c72109a931fd60b621ad1c9d02eaa27c2adad9340c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c9f544c588ef98522ed48638df06bebe

SHA1
d24748ee61b67175b890c3612beda54d0a5b1c14

SHA256
94fd2afa6afcfee04c6ea9f7190d11d9e951c899cf5d0a595ab96df0d58ca4cb

SHA512
67ec9a3cdc84b3126234be25cb147cde425852c912a06173bf90a418899f6d1de64105f45fde590f574438fb49a1d48a235ff21faa3b628d59dcd60b7a30f8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d66a2d831ee13f86b7b07522b29b3736

SHA1
e9507f9fc3dde9edf8b99ee35a8e98d522aec448

SHA256
6b9c8e7d206b97979d5c7b73b7d623f4b02a6851875ab89a23aec15e2a70cf34

SHA512
28a37fc4cfb49ab8c44c36f1cf22ecb72244728a842c9bb283bdb4b006ca212ec9789d1fa85a6a075f5ebe278893db8ac682d186153ac086fb44680fafdbf2bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b5038bb6e8762dbe873ad9519def89ba

SHA1
675170298aa898aebcb4a82ccc53761a0d2c5121

SHA256
c991df6b872df6296bfbdbef3ab28193b556f5f995a03c271cb71c2fd2df5b39

SHA512
7ded8da3f714d6bf1a962e8cde8f231e0ebe6bb495a905cb3bd8b15608b64fd296f79ac2e053f475cd3d9edc77b9fdffe3f33a9efc1a9599f7363630fd8f8da5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f48e0779a3975d19aa2d332e8dbcdad4

SHA1
ef21fa5043843b1b053a44ada0920dbf6b896260

SHA256
b2570570d7bb4be6ba885669ff15e7ab553192013309c83e596b465b31946ede

SHA512
95ca86b0e9e0831cfe284f68b28827823ba7676f276e05e91b932970f08d13eb1419e50762514ee8b316f18802a8baf5bd2f2612857faee7fab3b99fbc395878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a2c36e630d96033084f3428b90a9583e

SHA1
817a7805108ed502278bc3f9e8e530188f82d96c

SHA256
3892f6498277943eb93dc2fa0b24b9b6aa494d7838168cc8e996c9004104add7

SHA512
2b101bf3004c51fb4fbf791cd37ef43c6454c763419de4815b8118d20c8b28cabf94c47fb82f187eb879746fc88ce416e19eeacc1ce6ff7db3ea90930265a728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b34a985bc36193d08c9bb69ef30eb56f

SHA1
61533fbe59123864a0ac86957bdd66126aebcc2c

SHA256
aebc55680ab5319f86296fc236881780d8eaabb8ca65f110a1f0ce3c8656e68c

SHA512
714b9807d0486b7768b7f892c027e3942993a6e311bbbb10d3458ab4f87691bf2244991d72adf9f387acd7af83783e2ef0646a529439c645c036e08cca2c5af3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d3b01a0096036a059a7eda36a83bda37

SHA1
c06cb926a9dd6f6dbd5a90000179bde001ca9948

SHA256
d44fc2310bff44d3e25bf64bdaca7ce3c7921113f06b06ed986c61908f4d577d

SHA512
dd0e56edd41181f0a0a5d0b0c6ae41d1e7d198d86f1c105ecc3157fbb597b6ad828d77b6cdc933136d7c2b3cb1367fe5b0642da0456cc9860cdb9e1c13c5845a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
173dfbf1823e008834348c411e1f666d

SHA1
f034d6d0a2de9721119c6b0895b52567feb5d878

SHA256
2d13a2315fb9ccba7421b975db0cfe8a0342a929dadfe4b503778d3c42605bea

SHA512
2e83f0fe43999c6f2ab89315eae82e2d21baabdbd0f814f6d08831f5ae8e93e4b794e5232ebb85ef59bd4b179024b6b60cff7066cc56012c5a71eeef65505726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
20c6cf5b1984ded1811bc62daee72da5

SHA1
899976fbbf45d7d00fc4f38f204c57946a5e8a44

SHA256
91ef861158019ce036d66c62d4a77ad996690eb96fc6963f0a1518f33a5bee84

SHA512
276aa02aba50e01c02c40ef1743b7ce9c3a15c72ab00a70dc71910334722148010244a3941fbd1f00b23de329e7df58bca8def2eb007bc44a1dbabb89c93f365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fa77973f9b7f00f8ff42f9adbe898f0a

SHA1
7bd1374b51d2625e1d09769e58c14028d51e4f17

SHA256
b18b0f5ad2be81e14dcc70ad1712db1e450ab74c242c36848d90922693cfc914

SHA512
ea612038aa411c55356cd3beac129d03c381fe86d5c374e27597ec548b6411fa7449eadd8a71bc90fd1523132c373f39bd668cda3cfe4f38d17b98f14e171a57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1ab9fffba9383f1c25254f7b2c601dc8

SHA1
ae235d83b215961226dc975e67a4eae9a2383ded

SHA256
771729eda0648db90b058b14a3dfb027a44e9d03ccfb8e6d81aeb992b9d6738a

SHA512
feada271e5a725b74f817059eadc0831bc5c15618210e89623063481145411dd833a1c74fb828921100b32eff4064b33091f2e1c1dcf7c6823446c3d8f218165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
27c099ee38b8352f42d8c0f3746b0636

SHA1
87fcc4f4ff662093dd51838fb862ca3cbc3fda70

SHA256
9d3ccd14c41362c81414e13224e1cde93269ad8afc863a330aad5e9d5ecf0de5

SHA512
a7f6ae9dea990e7ce7594e698ee6805fb4f98f603aa5da5d7532138de065516ed770395436455f8d50e7cb2d7e4a901f6aee9fc2b8c281213ff3ccdee6ec7e92

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3254db05e915da5cc16c1d3098765b82

SHA1
6d5aabc0810bed6f4f24b0aed67ab0447c166fa7

SHA256
406aac97c6cc43ec426f7ce9bd35307b33e0e5f9e6c39b994dbde617a44734f1

SHA512
b7a90b7f3f7d8e9c964382d5f357cff8756d3b7bde4241170584fc0ae417a87b8c271b0cfdedee6129dc9c52a6698d3ea39a77710634467492897b822d5afa35

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
cedd3c20fd4a901c579582da737be5aa

SHA1
b6e36b018373ec65e47a52d314bc8ba9315c65e7

SHA256
17d2ae49dca9f383d1c95737358fdb20d6bf3d0834810c7dd5c985e810cbe20d

SHA512
9cf0e5e576fd592d2ca49bbf077ff90244aa3752ae1bccc4ad738e61a3c44319e43b7585e2424bbc81ccdd409227b3b227b51cacd5a676b7d7feb6f2f06960ec

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b5cd46b0588d84735fe25f49fc4e9673

SHA1
7d42f355910cd893382ecf9989569d605b09d8d2

SHA256
fb00ea74c20e317464ce178ae001daf6568e8cd741559c77a8a5e4fe10c7498e

SHA512
a4dd8e67f4879e3a0662713a12d629667e5f970ee00a0dcebe1b1a9e67fd6f05c3d9f024d645f9f5e7dee7540dac6b4c85c55c949f00d8b52eead86ec5b3fbc1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ec87440cb713ffea8639a8d2e54b5a65

SHA1
6615e46a4ef45b6773d09c687a213c65c9af398e

SHA256
227c7b788ea08199088c8ffd7e0f0dcebfc15925c36dcdd7a3d82c8dc0bafa95

SHA512
fa80f94d378ed8ca32006d72996d1f73ad773e3b8a2ce25fbde4c0145e0bf82a2d68b1f9eb8dcfe323784e4cdfa4c89796eb7a87ae506596860c7aef85aa3644

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e6b14d3b28670817f74353c48fd00d55

SHA1
05f8d9030ce918f69cbd6b6bb275516141447778

SHA256
db3d35c95978a0aa8d212e5e87a46c85077abf4776e71bce44a6072a79646ead

SHA512
ecbd3168b62129925379d54f16751e950fac23646fca4fcebfa7509e31ad71154ae10276edc1f302a95b9b4ee73c63f4bbdbd1292c40bd28933fdf18ff17b14f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
371e0721e60fc97597238e1000ddeeb6

SHA1
e4113de68441fb020948c1a037fc3d37edf21186

SHA256
83e5d330767bdaafbe3a114b418e6e80d8e77da1d3d5557a1f3ecc92b4d2162b

SHA512
8fdebb9e30d01abeacb4ed75c760d29ea1c85eb1c003742799226ff1c9ca37cccd9532a778d7f6296c5d9e503938440ad7e69c5666f40edef8ebeacf172dce9d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e0534c47a23bfdbce2667950dc9d08f9

SHA1
c1f8c22e8fb1d9921eb349b2511408966a256c76

SHA256
234d380851a8dbcf0ad2ce986c049bddc1279c1cf5cc0822f3fc7a811c951507

SHA512
4a6bb17f128b0400954000d48a469262a134454d77388a6b352a6d8bc674f99f791e3155ea949e2fa93c32f0ca138e73980c7eea774f96c7a7d38cad00bdb8e6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b45ee24362f7e31e9fb903682cb371ba

SHA1
5821a8e14120a0e3c3339593d83650ab35e7743d

SHA256
d3f2bd54666c4c1b000ffbaa1ca9f74e6de0c8e69258c24c74d147ea36b8a995

SHA512
4fa157cbdaf96692d0335f68da43f43491dabd38fbb1318cf33fca571863d482840514be123a6373dde05d18fc8ed02b68ccd5875b9acfbf8ea272b0426b47d1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
56b15c8a616fa34517f374c75599aaf9

SHA1
9f8f1fa4d622c841e00da5b961844192c954b043

SHA256
daf52fcf310a7fe8df4001c2dba394a9baafa357cf638bf5bd2130b5eda29da4

SHA512
dc324c8eb46c7694ca7fb14946d822589096f27ba5fe45006d75301572a53a84c7b31e04fbd8df1be20a04435849883dfcc67b3fb6c7bf089d00866cd012d707

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d38cf71b3577caa73bdce760359a43d9

SHA1
7ab6dc65c84a684f0b392245227097156a7ef347

SHA256
30b1d549a4c0401ebe20c37dd0146f4bd40f164bf09fcd43c522fc7155c8f1b5

SHA512
a4ae62ef019de88848a7e8e61bd3e2e9e24d4ce9387c3348167740d6884b7f8567c9a26eed57e0d12eb8fb11c79db7b97ea7922d345f9fbe41b1ab552bfec4d1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d00d092a9343a4d9e85690e6b0670b37

SHA1
fd26c7c269fb677c3b5cc5165237f55bc503f62d

SHA256
afe64480364f76fa1d4390f62595513b6a718e73e9fd95818c75155016d3f18e

SHA512
fe129d55f365546b8007d9e264a4642377904fbb9495bdbd29f34da7f2f0637a52364ff73fb9a8bbe2d65821110d9d525b588e830a7415bb9f7e46d9809ea960

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4b95818dbb2e69d098eb48da4de75894

SHA1
2d65e4cd2d9b86c150a59fbbe467dbdac3732359

SHA256
ce09e83f31f40b61f082d3031373ef1d4668733894a68ca52e1f4100bb2d46c5

SHA512
9bf593a74bbb18987f79fcf172969bbc4b0accc1a92c1f601b1611591ee4758153730ff05ba6070faf4c2f54e6ab73e7193e210c4d5e410fa8a7bc775804c5ca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
16c7252e841f162ec5d98161f0cf4d35

SHA1
5b4d8e6e366704ad7a9a97e3031dc1f4bf95e1e1

SHA256
bafbf7c2a19380fe321deb3bf496fcbbd4e43faf8070f759ab833bfd367c56b2

SHA512
885847334f91aa684f877f5c8cb3b0372bf985385cd4a9df90df28ab8933ff4556413767b70cb75ca00f8391f6da821bded4850c8e5e8f9b0f540ac6282db866

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5abcb37cd52876c0712d70cff9467cb3

SHA1
4181a1838ba0f859f87179c401ec60f69cbf1c77

SHA256
bfd2b4cfc9bde7b12d102477741d86c2d407e9af360c18c52f83b18b89318bfd

SHA512
f4c4773c796a1b0bab19fb236d761d473a2e55aa75ef0f7651f78e30ee81433060fcebebafec932b012c761c37c9a88e8c2eea6c4a2d4689c2cf3fa2d09b5617

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b1d558c944ad237434d3d50d83aacc1c

SHA1
2983d289853cc8160bb94bfc599e02e71073008e

SHA256
34735225000df1c461b9c8abc8eea7158079a963766dab72c4932be6719522c7

SHA512
40ad292199a6c42c26b1c3561edc1371561023939e07f555397a1b2b0ea5e5adcad3c649ecaaeea5fc78620a24dfb2409732d4755a5a82ac3e5a568880f4dd27

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3bd84ce3ddc2386a244bc4f68413b857

SHA1
b8769adb5adcb2bd225dc7cf1231ac7bfa755c75

SHA256
a78de75eb9496907f235eaa87c441c52aa8ea4f1f3a60bf00d34b79b7ffa6c1b

SHA512
7a9af62d8860ddddc07a8be29c99e2237767b60ac1040752ba1b2931ebeace6f3f291bc2ec39e2c3927fe7e47edcb4ff6a5afa76313651e3b6a5acb57e972006

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
75d4d3c42f748c5e78788807a41fbc2b

SHA1
2521602c17887aeef8b71277220ab57c136b381f

SHA256
e155a9c0a69764ecacb74373be2e3202d4b24a88edb6e67d55acd1d40a73ce58

SHA512
131ad2f2657ff0ef5bcc3de619302201181e416d50ba2e7bfbcbf69d6357c5a91237fde3f9fbfeb5a5ec51a01ab33e23f152b83901c6a1e89c8ca538107396e3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a1f04b47a4ed3fa4a28160044fa024de

SHA1
e37861fe450ca09f9b560c2c2a8d9f5fac52db0a

SHA256
8c333eec5b901e3458bd8b9b34ed051b2a36ba8af8e2691db07427ce92998d66

SHA512
9812936660a8380132c07287d0e05b0790dbce9d35c4df5d11e163db1d045b3fbf0a1e32e2f10365679a445e5934a34b4daef89089e12ad37313c6defb73590a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ea77c216b2950df7e73ea9d115d8693b

SHA1
0e7990c9e0b8f7c8f3c175d9148a208d3649b181

SHA256
624b222b9ea39125d65c650f847941f458315e63cce611ba2c8cc53a35224dda

SHA512
0da65e53d8c3cae7968147764f876d5e6f4a50c9663e64498205f8d67426f663fa923f1f8409ecf3f722e20f305a17393a9da3372eb1cab7c7b722640ccc9a6c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
93b522a3a429cdb00ec1853671b72ba0

SHA1
5089acceb4a2c4bec169e3874cb936aede8494a6

SHA256
1d506b5f05ca0a28bf09beb8986b5691d27a07005e1f97f2732971ad3b353e60

SHA512
b076f4ddd19b2568c397ed2cde2cb1fbcb3629e66d491404866ff561eb79ec21d378707bff7b66ee5aad3f854780cce408ebc9859c8aed59734705effb471087

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0505d8367f7df209245095fb66e42411

SHA1
d54d50a24f41879d2850c1641b09b8d5a7beb3a3

SHA256
2d40ca1e9f88f3e0e0b0a6ebfebb07d8192ec19e6a99f0b2ee9daa44343be4c3

SHA512
d8f183e887ef11865eea394bacdb137ab9970c014561d1563f3491d7ccb8d91a6a3009ed66f16f212590d5035329471f72d98ebd3b373eebbe122d5662447bbd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b689e4904f4d3834473c3fb7d1d324c2

SHA1
0d4e437a164a56ba89e64cb7f3d566e57d82852b

SHA256
484e7cfa525c334045d89138062b0816306f9cc52edc85e500d137a7a4b13760

SHA512
c92c6ceb8b49b12cc1feb76f0fa37ab209e3843d99d7f475178964068125f4b52a667f0839ee395edcf45ab9adbfee53b9aa444c945d178a9cad248bddebfdf4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
90b73872c31a1d3d7f3cf516285141a3

SHA1
be03de79caf04afa286aa485abd7f847e162bdec

SHA256
9c0191236dba9eb66ad79d7e75862158822a97abf09f6cd371df86568edb9fe1

SHA512
639fdac5b8a1a26bf12f16fc901a1623422d8314ce8c07215c9747198831a32b33adeadfdf5fb2b0939516a8b3d55e03b52755390b0449effcb5a68a6b9846e3

Download Submit
memory/380-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/380-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/816-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/816-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/932-46-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/932-38-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/932-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-47-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1904-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1904-511-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1932-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1932-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2616-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2616-90-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2616-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2696-576-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2696-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3020-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3100-582-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3100-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3360-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3360-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3364-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3364-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3468-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3468-431-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3860-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3860-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4220-583-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4220-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4320-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4480-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4480-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4480-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4516-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4516-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4620-1-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/4620-8-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/4620-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4620-74-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4652-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4652-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4652-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4652-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4772-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4956-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4956-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4956-52-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/5012-75-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5012-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5012-86-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5012-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5012-81-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5084-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5084-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download