0016f10c64c6c2c37b39549a99503a40a3c6da184c424095f21b9b483eb43bbb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Size

712KB
MD5

85a8d511174d2b9b99b4b23570b37437
SHA1

6db9c4714ae15fe295d96ea3a331bd4417cc7c85
SHA256

0016f10c64c6c2c37b39549a99503a40a3c6da184c424095f21b9b483eb43bbb
SHA512

002f999f13edd927d79f022f7bac73c98a72ca09d0c9c66553df24164d8af66fdffcd54ed30c266d2d2edd8a6f699d83d8a37f610519859e0d4130f62e08ed42
SSDEEP

12288:ItOw6BaBTNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlyw9/:26BCTNjx+mZCkt76f/24pN+XNqNG6hdn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4800	alg.exe
3408	DiagnosticsHub.StandardCollector.Service.exe
1656	fxssvc.exe
3644	elevation_service.exe
2832	elevation_service.exe
1320	maintenanceservice.exe
2876	msdtc.exe
3820	OSE.EXE
1940	PerceptionSimulationService.exe
4452	perfhost.exe
1964	locator.exe
4644	SensorDataService.exe
2324	snmptrap.exe
3600	spectrum.exe
2976	ssh-agent.exe
2104	TieringEngineService.exe
4428	AgentService.exe
3592	vds.exe
1712	vssvc.exe
1060	wbengine.exe
648	WmiApSrv.exe
2456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad28e365c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CABD5C61-B299-446E-8273-0F06174CB008}\chrome_installer.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f624afc1fbceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd063ac4fbceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0dbe9c2fbceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000796ad4cafbceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025aeb8c1fbceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeAuditPrivilege	1656	fxssvc.exe
Token: SeRestorePrivilege	2104	TieringEngineService.exe
Token: SeManageVolumePrivilege	2104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4428	AgentService.exe
Token: SeBackupPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	1712	vssvc.exe
Token: SeAuditPrivilege	1712	vssvc.exe
Token: SeBackupPrivilege	1060	wbengine.exe
Token: SeRestorePrivilege	1060	wbengine.exe
Token: SeSecurityPrivilege	1060	wbengine.exe
Token: 33	2456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeDebugPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeDebugPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeDebugPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeDebugPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeDebugPrivilege	2732	2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
Token: SeDebugPrivilege	4800	alg.exe
Token: SeDebugPrivilege	4800	alg.exe
Token: SeDebugPrivilege	4800	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3288	2456	SearchIndexer.exe	112
PID 2456 wrote to memory of 3288	2456	SearchIndexer.exe	112
PID 2456 wrote to memory of 2412	2456	SearchIndexer.exe	113
PID 2456 wrote to memory of 2412	2456	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_85a8d511174d2b9b99b4b23570b37437_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2876

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3288
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 920 924 932 8192 928 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
64c72aaee30ecd6a5057ac122e208fb5

SHA1
c88258db3ff318c8f7230b00322d69501e4c018b

SHA256
804b23eb8115ca3c02c54410d09ec832a388fb2b9fe14708caa764c418dcd47e

SHA512
3f1151b4b8d58c80cb68866869a1b4b5ed53ef71304cbf995f1850156b74541f5cb6ceed7d1d2ae2f13555b9a90da98c712ac52b0aa80edda242682af614ed9d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
eec1a1fa203f3a23388b200270ddb996

SHA1
6e77c7d3710cd55dbcca498d381cf267c8b3bf81

SHA256
4c2d2dfd7e0d57a933d63959a0308a04dbe86367300dda14ea2c573ae0bc950d

SHA512
a6a099a6c581be12bd22be0e223747e1aef58311a5fdc51392fa7ee9f10548e5abff083cdfb87875e0bc729599e00742dfcefecda9b911b0e913060d926c3339

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b94b00fa3039f60a9a4661574f199cda

SHA1
43c49fa29dc1e1a7b1111661211ffb0ccf519bba

SHA256
8170b2e48187c71db31988e9e922892e2acabe642b826b745a77fbf16004f174

SHA512
0922ff9c8f55bc2dd6010151d5b6465cb6d6e83128695ddfcbbb6ecd0d63e6de2aee4a75cd079510cb75ff721c2164d17dbdc51bbe4225424a3351eda9f59805

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
221bce9f209d80a3a55a48ef015c084b

SHA1
68b296fed419ce425acb85e326a25a8820d43c81

SHA256
8d9d39102ffc93f2fbf5372f8f1033bb7b947e8559c39ad86bb1cf86a092849b

SHA512
477c078e8648bf038d1c793b735aebbeff7931b1c981e1d11fb52faa267b89e6a93587fe431877af44d092355c219cee6e3e577342fc5c72c9173b93544b8145

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
33f50a79ab67229929ba370869eba380

SHA1
fdb3ba8942a1491ed5d15fd5010b386b73478a0c

SHA256
b69a7e7a0650ac384af37614dbdf325f6023edf93489f942c14f4be1907a4ed6

SHA512
b96d1b4304939f86f2b9fedbb4f7433a7c4bd332a11eef18740fead755ffbd56e472f8ac39e7361986b182826d7f05967f549af9de58f66f038c44de2401ab9b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c30dd44b97d1757d0849fccc667c4da5

SHA1
3b755ba9aa4ae576b1a7e9d93265611ef3cb52b7

SHA256
35ab3aaa7c0d07fa97829e06fb25e94705c8bf37442dda2a82ae6101382d8272

SHA512
84af418fe57231613c2b269d82dff9ad1f5690baeb1475ee96f2f149be8483247c08ffcdf1964d567e5627471fd37f8046b1d82a4d36a30f1950124898629fba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ad673ee42fad5e8f1de8046c838194eb

SHA1
b02b8c65cb190a11e78ffda2401d852964a81374

SHA256
1987b9b2839d689878f7c7c9cf89d08493c093af457999187b6fe805bedc9711

SHA512
d9e5b29e76b593b1836a04cc033846c8314b6168754453b504a248492f617b4585a7290672f5adfe6aa4a59129a6487c86c7e25dd41ea9a908b5fbf6fbd053e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fba2d4c3bba1e312218161b4b856e0f9

SHA1
79ca493ae68aa7751ccc78afc253763bc6b9ed73

SHA256
3cd4e4ea395b603edf0b334fff1d82773c8518f098b548bc1e4715c23bc37961

SHA512
2246a020d87a8ab3b8e5e05994a2403701ee461647e4ebe3afe37be8600d4c11039386d507ee7f372d0db14929e7a53d34f05aa68859d20db8f25b9d5b6aeed5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9582187931ee74bd44ac76c12ad66e4f

SHA1
24b41bbf50a0d25936f59ab1c74684b416cd5d0e

SHA256
eb2e1467bcd3214dc553a7b681fd2c2ab7073802d27c15659d4c11bb75a75e6a

SHA512
762adf01551d793156353b40d6b39e1ae613c82bfff4e60c2c0bc3508f3487d779e609ab2445141ef2faeeb241b741413e31bd764a20674f8e97fc00454db41c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
15579593eac46d238a765494fe95ceaa

SHA1
9e261f13cbecf2a5c71ed205f8351a2617fde757

SHA256
4f9d849166a1b296e93ce0bda199faa90849f39af89c550b017d96f076e18f68

SHA512
9589536fea473d0fb591cd6471f328b3dac4d828b6a0d59b66954895274da1b3db1c397a85ce2821a70b3473485b5910078d7ab5cb42be311d6dbee81e22f096

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
634f0434e983c4c379cca0ef3ae1dc72

SHA1
041804f1c69a8d375e13b8f7e2bb37264e37c058

SHA256
06b5fc6d60ddcd24b13f8760e7ad4dab8dfb860f0769262f362126b7976381e0

SHA512
c5eb02056498b436726f4781abfd9a35c5cf1ebd192ae3522733d3fadd72bf3ff48613d598b93fd3e1449ecd8b6cfc6d1bb27867089e15c0dfc27a908987ac71

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0a6134f69e69dba1df907d23842362eb

SHA1
ca938f01665bc01c90fec49afa3d657e94a0315e

SHA256
ae55cd6c44b17aa66167fcacb66d2d03d857549791bc31cfcdd4774a5c093a62

SHA512
d38917ab82dcdc9bada0b92ce11bcf62f62ee8818ca3e3580d96e0ef15aab629bfb889f655c568eae45e29e0357a8b14071a40c618f625a585f07ecb3fed383b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3213c43f3e93eb2f2f6323e120646c00

SHA1
b975cd201a19f2f5c4f77e824adaaa208bf0b064

SHA256
5dcf5aae9ac005df2f019c2981ac16d037fd35875455a91268c9827864e710a9

SHA512
adaae53815f90f7805df7f706d81874e2998a1de05c320b6304b169cf8413fcce1b53b41c9cd3125132e4e37e1b81e58304339279cda3551e0e81109039e2e04

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
24f8699c4d184fcc34e7dd2b4426e50c

SHA1
8966be8334683411f78569d0100050e72917ac8c

SHA256
d0ddab33e4cdef7458e6243d858a06cb60bc5f1fbe3be09cca8a7d726c265588

SHA512
ef4f4031e1dfc8b5bdd027cece15e6062b7306011f292651383fba1c0ba2b83ddca587664661f4ba382938a497bb9f3597ee08de4b8a57469f2d02f7db9c7a8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
95b11a422a07fa7c2ac78306d590effa

SHA1
31686a5b29cd219e5d7aeccb40d53e40adba77a7

SHA256
c9bf9261ec8a10f66fa935369f7deb07ff47e2708945e2c9376be4742c56fbbb

SHA512
6bbb53addcaa292ed24161987e0fc0e9938d904d8cacde0416a656a945ecab57f2120da3490eeb4d90771ea5b1da36cfbf86f1c21fb5b13c38ceed3ac1b8af4d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1954021ac96047ab8020d7877c4ba706

SHA1
5e7616acc5ad070ee86a19f4862413ea1ca7bb01

SHA256
e1b2e73e7b8047506399dd94ea7a1c74703016bce48f780e46c7a79fd7641dca

SHA512
94a39f2aa9bb56adc0b1485cb2655c602351bff6db55d76bec0d64cc05421c6e829626d91f81515d7eb54e005750f2a2e32cb244195cfcf6c00d822395a2c452

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8d5a0d142b69ccdd03fb2389793fb467

SHA1
b547400cdcc69a746062b380bd23bca66231a1b2

SHA256
d6e4bb6dbd3e8bc4f13ee1a6c1d8dc741096eede597300d0ff987a028274963c

SHA512
7b4fe936dca10776e3839fd1072c5db20d209e2a484a121796dd6bb0855636bc47e3c050243664f8a94863996a0cd8182638688991be91cd4d3dec67cd1cbe7d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eae812621a60e7940cc89a71fe6636b6

SHA1
abc195491ee9182afc6a10761c633a984ed0c9f2

SHA256
28320e81c7d19ea232beb004e2c5a4682ba8293870cee09d278681b049fbf3e9

SHA512
e46c08834a4c7707560c9d7a899dcc5eb4f74083e6ce58e6814af3db3bfce31458726d49f6249fd7bd542a9d822c2a9f56379ddc456b7c43ab36a3756a009f91

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c6bcc284693d4c7c46141141e210a192

SHA1
91d18a4ada2e39b98d43ba44ee1301f9201ed732

SHA256
9f91832bb256b9509c7979f60cf2dec5313c10b87ede8497eb60fed9a5ae158d

SHA512
41b00fbf52d746bd89b6e21af80a267df5561b65c882b12d953738c88d8e2fcd9c91ec7eb1bec566fa304d597bd825e67cfb995c034bb2a859b92191585d91b3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2fe0d9967b041f15a4b516383ff20f19

SHA1
a53abeea3ea09b87dde100cdfef76adb06b877dc

SHA256
4e6cdf91dca1ad4906f53e42d764deafaf0bfe995824f99ae04986d6e6b23982

SHA512
15828810e588750d492d706fcb3d2e04750da597879293210c174ece4aaeaccd656ef76b697ca83558c86b5cb927aee76371e916252f241242035e113f02c141

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c084fccaa0b3775d9d4ac869444fbf53

SHA1
f800394db840f4d4f622cff6715f25ae7d8a636f

SHA256
cd09765d8302ece91478aa4f448d1fcfeba13ae5394c080116034cb9c5cecb46

SHA512
fc85b617c3c3ac365facdfbb1e6a248b788fb70060be942198360a2c8044187e84bb57d311b37b1d2699d261e3a05e2024356f847f9f4e66cb0f915de561a0c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
090f2aed33bef2a12f0559d6f92646dc

SHA1
5f6fc16b619fe7e3b6a5188b2bb071852097cca8

SHA256
055ac201a283a132b857da09a2e590c93c50a29fe4724a1b0da12c2b5355a1f2

SHA512
a0582c0d2ff9f412e289cef31afe8fb14451107754177dec0a5f743b90f35a9080a9905e27fd13bfe203e6d698d78bfa941e85b908d1e4dea7c5d9ce131186fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2dd68065fb3a86470a1dd72aa6d22610

SHA1
8d87af9dcfc8eacb5de7f372a14f5fcc82822737

SHA256
869a2bc9b1c1b45ddc0c19204ef8f9ef351d29893ea105876581db99a7933d71

SHA512
06ffaf691571e77934be460f04d2fb82a05b69b6b4441d4262fc09080da5cd16da3d7a3790ba99eb0dd135cfbbe7b542598d370b0e72dbcc91f3227ba8c23c49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c890c21d54f79106eecdacaa71362858

SHA1
26444eba92376a3bfddd7d8ea188acbb42234f08

SHA256
b669cbf0e19054c8367f8590cf98611862732715d9556026f9374661b3524df1

SHA512
4b48cb3df7852605b031e9d131525e4fae778d879c3bc76a13e17684949ab23a923da614f5d96f84b72ca005e9c478a997339c7f11841529770c65d195f676f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
dfcf4f79ad0ca4d2907435ed185eb0ac

SHA1
3c37e657e8a69b0eb9efc70fda1b21013b2f1da5

SHA256
941a962523dafed0d115c102f866e3ad167a75d8a57edd207316f3734e1d960a

SHA512
2a9a7c73a72cd2efa108334dc89d9865790d17295a1412edf1f61e4e49fa22a7ef02433bc39cfcba2e3150047495bb6199c26f5e7dd4996e0af465ba0c741f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6338728d5f6a8c9b9f75bd919b0f254c

SHA1
43fce8da6e1cc0af694d989992142586a972e429

SHA256
715a6d529547587acfdd4c1e76e240ba6b5a118c5e58520836362fab04fa371f

SHA512
d1c237c85396a5341c8ddf8e4f86f4c022697be4dce5238922f72dbc62736bcaf85d1706bf1d910ddb9bdfe818fc93c4720dae3bc0876d8c692fd3eaaa5cd3e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f8c1480f93deddcb6cf037120da1fac5

SHA1
88784cf4f39d1a6433f99e3a039e770c9cdfb53a

SHA256
361d7d3ad1f971b3ba64b44e1d149988a4c4d6e6bf78c74d70521fad964c2da5

SHA512
9804177d3b8ab7c745de87c5fcb324b54ed2cfa7bd6e19f1afe23edd0e528b21d3ca9eac90fbd70a1553160a62565eb77a5d54455158b34cedc93715a40842fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f1d98eafc633be5d3009d04cc765cbcf

SHA1
63972392c0f85408a306a9ca51bc0d2d42718d85

SHA256
d26d16c074a3c73022a0732991ee7f5d78076c0d72299e6ed9bbbd414141e5b1

SHA512
ab1363075e28b9f69a1678f2b0099442880fea82a9cbf155acef41594839c7926a4d805b883943a6fabcdbf42322bfcdc1f2ddf67c3fd0dc95c7148465bb6bc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b1e1c102d7958ad4f3cc4eb28923c3f5

SHA1
e6d38155857622adda410925e516a5162f507bf1

SHA256
b1d350086360f5fadc799601e9f9773b5a04702fbd584a177093f29523249df5

SHA512
2d9f1756b75fc55b4f595cc8512bb291f0c2302ca4f8688695d4850bb473d9b906d1b6b4eca35ce1f6346d8299d94746766a4b0d41c0b1713208f269d6611aed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a02040fb5bd77c80ee568aa97d414a19

SHA1
d13ac1bf455aab7a03e3a54458ba3860085eef3a

SHA256
998678d63aa0d5a4bcfd9fd9cb5e1b1739b3b80e28d345b97d63f1a730fca304

SHA512
607cda03d492caf45d7b320c2603e2efa81505874c4fbe6e704d44fb7cc0c29710674ce5a73e2fc427ca98e3a8b6ac6bd7e38603c4b681b6fde100f56ed4c2d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
109329eb0d0ba1338cc31428e3e48a36

SHA1
282f993774e104a754b20994f878a94ed0bc84ba

SHA256
424c9ecf89fff74e355343109f951a152aa44865a1af2737a9bc67a1d17756fa

SHA512
01ad0d1bc689a82d253ebeb7f84cad45eac524d6d9729d6ea803dee9256e4fe1ec3e3470c51d718d3b0f9cb320203198b4a908d983b2a9ac9469024554ba6463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1ddb6150c9f01d4cd796d38f42663e65

SHA1
61170947b632f2afe071a663670bd6d41c824eba

SHA256
95a201031dbf309880b9950afa041a23c9d95662995e853afc3ef6add573b470

SHA512
2f3d4fee827253df2f17f070a152eb30dc4d882e782d6854e0334b49b99720d73e63d23bb4823602947ec1b3c7993a44c86eff893ec5eb29d0ab07d36a33b4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f386d73d9856bb131ce6deb7bdbb79d8

SHA1
68247c2bd796b7428815fdec5537f67f5ed1a4ec

SHA256
1efd2dcc9c38d89ad6de5ca9c02ef03ec9b3f56b94f1d7d7a95530a39efbaea0

SHA512
23aa14eff8d9ad5ffeeea3e3356eee07f0e3f972bb8c92c6b382d9b11e9be747d4cb76fe6019c0877ab6b5093a867807e553c624bf3a8d0cd49a939a6c98681f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f7c07683f83d4d5b06fefc9f7dfdee46

SHA1
02d20faeaa22a8b13e03a2432ba4ed729fefb1ce

SHA256
a82b4d65a05982dbeb19585749ab314247b002c487c182eb3336844669923eb3

SHA512
3bdd15749823f18d48f66f97448417a65464fe56d0f0a9aca5ac1fbb2e17623d61b6cb0b1f9f6353aa21bb0e7e8efb5d65bc37b93860dd6902e806dacc38646d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5d402d5060da142ae812489f8368f23f

SHA1
87c2b8ce4d5a98f67f9a1d460b3e27a77b2b4dca

SHA256
05e879c56c766ee5940633b6599c52b0f068e77637dad0a4b1dadc56c17eba00

SHA512
ab7f61a14fbf0a2c548acbec7f008bdffef7c4fba17731ee33738d5bf7057c0a1038a1fa2e48b459688560b77b7f49f90abd677b52146c01ce6e0200489f4344

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
59aae182055e204f8dded30b1024f639

SHA1
eb652e598b9740662de299587d611d35d2007076

SHA256
d57e7cebfd2e1fbd54363c583a8ad0a3c5e72f880b630a2ce1944c4924f296be

SHA512
cca9b4f483f52ada6c68be3db2ee63586555bd80175e5b9a9e11fa68eb9208078a7b16a44f760352ffb499c7b48c3a6b10dab0361929d1edf256163c4804b9ac

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
866b8f302a4db35b3b9b799f666a0ab0

SHA1
e95519d0fb318204eab4ae430689adb4dac7aa78

SHA256
009b4c72467d464797c6f3f3b8d654d3f6cbc2962ad17876e992153c4630ad8a

SHA512
80eaeac5a8b994e22baea9bff8ca4d830295d889d3f0ad327354f12654e03eda43e7ab781066adb75139f2c50cd54dde74b4c7f1c4fe7836014879b047f45850

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b1267bf1d809afe2b6b0c4a58312dc7b

SHA1
c7b2393d97ec82f2dcc488ad6561eef545b58eeb

SHA256
b0f862a4ac8d01b5c593610d0c681c8ac04110cbd26c786bae3cefc283c392a6

SHA512
f4b8ad64c6ebca294fb75c613b317ccedbcc6df238b30cf2064ecd867a0d91a7b03b678e97f59d4d65181a25986e215d519b9760b0378f8eeea95540d41322bb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
16c42da0b2ea647af5f836166dafaa1b

SHA1
c2f04e7e7625ed8fc4a54bbc8ee1ce0341ceea50

SHA256
874c00233f100331c2ee0357088edf82dce94403a65ee8b8cd5c84490789304e

SHA512
7296afaa2f73b86be35123333cf261b8f6a38a5d5313369f9b91891c8a66fc001f24c193c28e34654439702b5efaddf312f177616f7aada243d3e963ce0e21bc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
535717499494a165de407d1d11623002

SHA1
90b9f1534cba5bd5ec51ea6fce256a495b77bffe

SHA256
30a0a2a7b7c77fe69e453cc79d9c37de6b980558ee6438424b401f10ba59fb41

SHA512
230bc4587cb59df2978a99a3a19005d3b89490d69107f25b10733da3dea695168c3ac171cec520d19947b8df2f189b71fb61f38a19db6b2f01cc11f98b652084

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9e9321fdd094df27f001891e7e519fa7

SHA1
270fd75eb88a023ae20fe33f3e4ccb41a29931d3

SHA256
85eae538daa82e50926c4713b084a8fcc0bba89ddb235eeb711d80a024dd39d9

SHA512
3edc8a2f1cbf92030c2eecceb22f1c1e27af3227f10849833544c9471f36b896f19d45472ead4c000d7e72a175f9a3060724f13e456d569a398593da82965726

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
614c7153553afb14743b3a4eb73675c6

SHA1
ab746ecd01dad6a20599a87b941229d0b28a4088

SHA256
d05b8a4a2b1f9ef56686f3f99ab0c764a62ecf2354f836ba7cb9dc7b72b1d5ad

SHA512
5209d2a9672143d9da83c49825cbb6a50ab46895fd68ac95685ac98fc9aea9b97f799de8ccef020d4540e820f2ea94880af8fdc74a745d3ed2cea858548e6603

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
845add69b40f8e4f4da775e6e9b066b4

SHA1
3d705a54fb534abadbc8efc50a4a7f88529a69f5

SHA256
d2b7cedadedcb2e802d0a8a1913fb48a82e74159aeaa875f9c1fbd59d5e8646e

SHA512
c3799d18141016b8e8c4344072967ac14e7cc754483d9edc42cc72587cb507daab2fae8f4c5b585c11bc8738aa8019b7ec9513d4607ce35f64aa86904f3dde29

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
316af466fb2f44b68b630f84b98cae2e

SHA1
cd0714ddb9fa1d2d14f664ba91371a0c0700203c

SHA256
2efad035ca203adbd6f9636dd5f8ab52fb55d9db0d5bb3c5ba6ebf1e7d9e9e6c

SHA512
8d294bf99caef47244d30f1b73c4447cefff4286cc468668f85c4969855cdbfea1a01ed6b6c96ad877d8c03d504ca7072dfba49bd0f5f145b26461b8c806c20c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ffe1c4c3df0322fccf879c9de828d5e4

SHA1
4cc3155d51747f3a0fd706e2b51cb3f72fe237d4

SHA256
03ff997ca2dc8306c8c0606437f700625df279044c44a98aea6812c4453c48ea

SHA512
1a61fc3194d99edfa7535b588329983db7754245767753495e0c2b44230dbb97d003f18d49e3a7fc35c4221ad1eea80b7d8ede51e9a2cb58e690bd561c833c00

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f92bdeca17eb6451ea6dc0b2e0f4351

SHA1
05f789443f6e96e8c33178a70d154ad4ba762f41

SHA256
40f4d658a91e77e48abc3211f79303a0cd6cd99d48da2e3e588e66e71bc77bcd

SHA512
a1bf78cc6c1644d38c1a973fd6e53a3dfb7d021e3878c75a695ad164fa11106e9a3af68e2b8dc7e982bbc57a66a957de9a92fe9fb3be67bd47c7cff9f4eed538

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0b695d49b536eb9dc33e706cd0f07e76

SHA1
0f3a94729784eec227f5ac08d2e9cee9f8973b90

SHA256
22bf50d02cc81fed046db4800ce29b3c0a8df0aaff0bbbffd88073dcc3d78da5

SHA512
23a9f65a5e2f3d9e181180a9b685e9b8674e5c4a04110aa29e5dd66b5233f3788140b9de3b2b0ddd808ee621ae046192a2562b282f8837ee428a6dddb07d72d1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0de21d5477cea72c1b774b6d612ea0dc

SHA1
7b8fdc9e9d8ff9b1cffd12d8a905eea3ddfc3810

SHA256
7d61a219a7fbc70c265ec65ad16691a255111f314f3814fa6cb40b72acb50e09

SHA512
e9e11ede35035f64025514309bea235d1c0cadf74e807cb4479ee993eff0397d2a8505c2ccc3b88c36e85b38b04b25330409d2c4101a3e4c19ed2d793c537daa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c6bea54af5ac59da9087a6bdd1ee7e8c

SHA1
2943d903046e5be185bae9410b14e885de4232b9

SHA256
858cd1a23959d688cca80185dbec22f5d6e9a421b45b885a820e9e646b4cba7f

SHA512
76af665f6547bdb7e4d68432d29851b36e19603fb836af3ad29f207d2345df76a8718e2890b0d0d185075af3ef6b48f0f12d4509561c771733ab44d602330085

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4c1c4f26b7ffb746cd5d797ff439cf7a

SHA1
8f17b1a27c7d5d3372c60202cd4533026d1b2434

SHA256
ca3abbc7d2740c5618af70d7f0096458629ffe8539f615e962f660cb26669753

SHA512
d423e60c5d5bb5d6e9cf2c9e7bed839d41955d712fcbd80a3ad60a8d4935205b68ff4166118dfef5eb4344851bc80f06ed8e23fdbc601dce8246d9c614923826

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9b94d86c3b74366d92e73f6d8c8c5add

SHA1
b8c2c3c7b11c24e33e52791055157f262f4b6234

SHA256
83cae01df73141abb9f7815fdc4f3bff326a8455f7ab4b0a82d1544fabebba77

SHA512
c13a48fb945653653cf354cf3f3a152c2972dbc43ed9c5671adad5df6798f4617b772132e4eb88c911b88853227ee67ecfa111d3c6881f7d47e4363b365f6ed9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c14b56977a95c40db356f2d637253a63

SHA1
44b57cc4bc3a1e0ac2c44083b267ffa95a9f545b

SHA256
5e36131c6a1eec551591526db451697b6bc5ba88e5e37cd173fc1cd8ba2fe240

SHA512
6b30c34b4e43f149a78c98ee8a86fc6bff362e41aa6238a55d8333b8e8e83aeb6980db0408c0a7e003480cbed8d8db4c1351c7917c5b696853906639d5d5fecc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fc968d92122794d46a8991cab95433e9

SHA1
3a71874a6112f54c462e73c290f2fe37805e49f9

SHA256
361ed76dceb2cceb81a437e6a3f607d9e3aaf6cfdd050da1ba4cfdde29390545

SHA512
b265b8603581b88e69195164bf7008ba3966fddbf706521686dc336362ebc402d2f8d925827fece0e2cb7121fb7201b5d4158eee4d259c598de2f74b626b4b49

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9f58daa1f956c5cfde6e40251249e05e

SHA1
bd89a9e3b5130a1541be25754e2c4782f86764d1

SHA256
e809301eada10c43bd14a3ed8d9feef5551768ddd5deceec66b7f87953b1ee03

SHA512
6c3f9044eebb2ae74d31f80588f4b5209dd78804df0761231509222106bbbbe453d4707aefd279c8b502f77d7b9bda8dbc42f0036b115d1962f039e5d0b40ba9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7962810b5b31d0578e24935423ba3aba

SHA1
7b8f09cb7a090fe0cb898b4b697655d08f2fc373

SHA256
9bc637b3abcfc686fe5e6161ef07888e08c279d8dee425c4cdc14d838ef217e8

SHA512
0c67dc82c6a1212c496d992d6dcbbb922ebcac01ca3cc370469be833ed61f15021f94df23a37c62ccb995630cfee47ae4bf0a610de261b4b6b3301de65db2858

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d3037f4d5757d506541260bbd24274d4

SHA1
ec6342354f6f220ed5b0a173018b05da3b9bf0fc

SHA256
7d9ecb5f8325349abb6ace4ecb9e40aff4651bb371b8f5a2ceee1a0c6c34d2b1

SHA512
038dcd2e6fe36fa09293f9ee8cdce5616b0ed9347990665dcaa74e44c84d7db17ac63ad6e3f3837c43e706950e424bd45590247081eb23a9e915d33a7044d580

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
56253b3c95bf2cc2c2093b19d6cf21a6

SHA1
6cee48a98951ac15b5befc6c2a3a113be5a38b21

SHA256
090f904621fe0ef393c6fa49e3aa1ceeaac0cdbb9cd3c382faf120cb121a4638

SHA512
1a29e63e59d4242cbe24bdaabc41ea5f3aaef31033a96f3607be51df2d420ec212661223ffceac7d97d82b4f9c58bbc5104ad0e863b12d2d3cc66de55da7ea01

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
932f5675319da52ff2e8d487349b9542

SHA1
926d89e616b9db2df8b05ecf68b8264335ceca29

SHA256
e112f4c7ab6b257148ddedfe4440d75b10442e1dd927db2686471f55d7d15d7c

SHA512
142f3dbfc4bfebef4186a71cbe7790a29cd804f73a816145c2763352fa7803c9e177999c7195f77fcae46111c4a7ca7e7fe01bc19777afc27121551d8f6bf608

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
31fe325da1e1656c8fb32acb27bc3b91

SHA1
0fb8dcbaf3bd52fc4eabf17e1f5fd938d1843da1

SHA256
bcdca5a8b76fb0f6bb7258b1f267980b04b2500a40dc9716e04e35680a4d47f1

SHA512
8988a372238a21afac5b71a5d6631fec75497e1d4b9b02249d3396b2a9e7fe5488f11a08574746e45ea3f15b564d2c3e122fa0de76e183cfab0a271cf9576711

Download Submit
memory/648-529-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/648-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1060-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1060-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1320-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1320-84-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1320-73-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1320-80-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1320-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1656-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1656-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1656-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1712-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1712-475-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1940-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1940-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1964-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1964-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2104-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2104-473-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2324-443-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2324-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2456-530-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2456-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-1-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/2732-98-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2732-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2732-8-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/2832-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2832-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2832-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2876-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2976-470-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2976-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3408-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3408-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3408-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3408-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3592-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3592-474-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3600-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3600-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3644-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3644-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3644-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3644-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3820-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3820-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4428-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4452-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4452-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4644-469-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-19-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4800-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4800-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4800-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download