3bed5d0ff60aac5666b851b6972de07b666163761b20259de51149d4de148854

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Size

1.8MB
MD5

e9f5a6c05d03d76e632d711f9760cab5
SHA1

3629ee459e87b1e08e443112c2cccd1865023091
SHA256

3bed5d0ff60aac5666b851b6972de07b666163761b20259de51149d4de148854
SHA512

1be6f20d141892776705c0b5df28ddd819214ea3d85e2e80f829ecbc81f78ec37a50265683c1dde9d95bcaaf8653b8bae3606c74d0fa5486f5f66de59f18daf7
SSDEEP

49152:hE19+ApwXk1QE1RzsEQPaxHN9k2c962L637u:y93wXmoKVk5f2q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3396	alg.exe
4996	DiagnosticsHub.StandardCollector.Service.exe
4744	fxssvc.exe
676	elevation_service.exe
1952	elevation_service.exe
5084	maintenanceservice.exe
4400	msdtc.exe
4524	OSE.EXE
4484	PerceptionSimulationService.exe
2248	perfhost.exe
908	locator.exe
1528	SensorDataService.exe
4492	snmptrap.exe
3992	spectrum.exe
2056	ssh-agent.exe
212	TieringEngineService.exe
672	AgentService.exe
3128	vds.exe
5004	vssvc.exe
4968	wbengine.exe
1128	WmiApSrv.exe
4744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\425deb77c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d2475cf02cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1abf7cd02cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b86d1cd02cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000684814ce02cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d4e98cd02cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068d6c0cd02cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e8edcce02cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a71a2cf02cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeAuditPrivilege	4744	fxssvc.exe
Token: SeRestorePrivilege	212	TieringEngineService.exe
Token: SeManageVolumePrivilege	212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	672	AgentService.exe
Token: SeBackupPrivilege	5004	vssvc.exe
Token: SeRestorePrivilege	5004	vssvc.exe
Token: SeAuditPrivilege	5004	vssvc.exe
Token: SeBackupPrivilege	4968	wbengine.exe
Token: SeRestorePrivilege	4968	wbengine.exe
Token: SeSecurityPrivilege	4968	wbengine.exe
Token: 33	4744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4744	SearchIndexer.exe
Token: SeDebugPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeDebugPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeDebugPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeDebugPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeDebugPrivilege	5104	2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Token: SeDebugPrivilege	3396	alg.exe
Token: SeDebugPrivilege	3396	alg.exe
Token: SeDebugPrivilege	3396	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4868	4744	SearchIndexer.exe	106
PID 4744 wrote to memory of 4868	4744	SearchIndexer.exe	106
PID 4744 wrote to memory of 1940	4744	SearchIndexer.exe	107
PID 4744 wrote to memory of 1940	4744	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3540

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
36c06d8ae407807df7cb9960a6d2167e

SHA1
8325f5cc91f6e542ad4072c6a4844dd4edd4e897

SHA256
cb847e98653d857c51d01b09abac78d543068772715696f7cf779043559a4ee2

SHA512
f15445e2e39471479044515da5e30300868dbe4c8aae7b1ccf313d458974465e03992778b4e54665545f33b2bfafc7490e72a32a26859577e8a9efeeecf4b228

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7fbc17438443fa829ab2fef5122376f0

SHA1
999f5ff800e09db5cd37c8e7a31a596a6d2e5586

SHA256
b581f38677b2e8dde77d8030a5a7216eb1a76d08f7a541c442e2d2d23d554bc6

SHA512
63ffd5117a1c95f3cda64015e27fbfeeeea2262d29833811a8eb5d46e7c1d19d566c15e90ce0e1c8be1f0c069e35c1d36ac86641b371fc40f3f2da53009577c5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e21c8b81f5c3098adf866d1bee07311e

SHA1
383d3280f6ae12c5803efb00507f1c6e15f62ab8

SHA256
4f5cc499a55df6dd7677f73e95846882c01ce5152eb3c41ce8f53f18554b73c1

SHA512
152262cf4aa8fa65c88e9b7d3c24285320f1fd3264f7229a0fc20caad417efd73d961f896d8642df4e7f24050cafbc061d747b6bec904f08ac121112b9f47244

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68af0a7737df9bad4d000eb38d62aadc

SHA1
792a0ec26529ab15ca3cbc83cab3863e87aff671

SHA256
41d21700e09960eb325a2533c54e3cd0896f41c6a512febb31318c9fade9cd86

SHA512
7ec155b67e99bc8fb19ac0bb27525d71acde8c6c6d7647f6164acd7fb998cedb873fcd8cf53040fade0074e0a03116b0e4c70f3aa9112bf2cb20b83d42159d55

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b415ed8d29d99ca253fccbaa5fc2530

SHA1
e3a7cc922a1d0cc317b3051fb109b6369c08f743

SHA256
77eb1395e3439afc0fb1803146e9e49484cd1cfff721fcc39e8deed79b33c44b

SHA512
a5d27272f87e3afb1084898210fe3ab8446a5fbdd0efc7ecbb7300c185d26a1bcfae53539e136b47fc58908d84e4f843aa46bbd48bf90fac795336493b03a72f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7e7804cc31042090ae2b677ab22770d5

SHA1
4044a42fceaaf08a3d9d0f48c0a102ee1efda6f5

SHA256
7cf8732f30f8b1c4b21b1685497e04010b831d715fa7f48077bbce68c3122056

SHA512
dce0acd4a8d1b4d9598e7cdb1b073c7f4c0cfb0bed638b54e6302f68e009cf28931cc1d5820400a5cd411e8cc10fd24b6d4dd523fb7287734c98c5d245caa0fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b82afec18ab912765c2d8b40f9514f53

SHA1
8977e44dc0d0fd311ccbf46895476d47dc638017

SHA256
31c4a600ca699fe50dd5f310eadeaabb4095baae0c456dfe553dc4db7ef18661

SHA512
5796f010a8345cac7d1b10614cd9da29ace2b8c6239f27e25337a3e0c1f6bad75dcc84d5941b5b694670d45f3c685a493ae8c627b6e679a16267745a08087097

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ccc69cd89425ec27a882549c51d82844

SHA1
1442dac7b6a2643118672797b8354a442f1408fe

SHA256
a5810aba72ae73d8849992d2b1b04d030e71ea2c07e9f16f4ba36f9fe957396b

SHA512
051e5903ff5a8fd036ad5e630d0e3b2c91c8730e083e199f0da5e5a402c2bc5a8ff270b506e44c8efe1bde4ea3dbed9eac78e2de1b9cdce6350e638f96903b26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
96910b28fa351fd7a6a36818f69ae1fc

SHA1
31efcc546b5c19225d07f434ecb7c1dac9cce3ab

SHA256
ef8772f8b8ce48b6f624090ef42d9147a60d5346e11ca77848d21b63e3efdc28

SHA512
ff5bbdd50eff85716bb928a8cdba42d33ac9e406e4ef2d02eaa6ce366e727aab75a2654666f1f05258c3e284f1deb57fbb5fbb5d0766c796101790b13cc09c78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6ddaa05239740ab44d28abfc0fe67f29

SHA1
a08b8f7eb6111825dece914958da36c4d640de79

SHA256
7300766838069740460bdd7528487216dbcf44e45a0a1af935b72109998747f4

SHA512
99dfcfe4f3ac905ec90ee3e953202a4603d1a0187285ed7e6627b2aae095476399f01dded0f10a0f2b599c67da108d819143db2b7da848a69d6f4f3d313d456a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0c132bb3825a51e6a049c543958e1303

SHA1
5b557d864f05e7699f5595bb9d6b6635f06c07ec

SHA256
01704a8fd3fe74c4f8169733ec1777af812fbb9b6ebc9044be3ac42b04ef5b36

SHA512
f82def60b91e7785af1549637419c7015f431d933916bb6eef2ff0cf5e9bda40b6a7c1a8655c32ef7f0f8c8867fc7931f00826766a1a095859ec4f8541575aea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
069b0a1cc97971088a9de99cc7ba5e11

SHA1
39afb40dc84e262c42ee037a1edb254ac8280270

SHA256
d59a89fa7d085663c3d763d9727f7090da1e268685b7711cd19c6e73864d71c9

SHA512
e80805d9268f335830475222783b28d8bf32605a652f61f9a4e02d761410f5b58190296b92833561a151203ef4d796310c1b301f9e0c102473a32c5e2879afa2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
abd6281779946da32d89e1d498c3c917

SHA1
f5ee62443be7eaf8c4a886c1d8aec67e3b1bd1da

SHA256
5342ee7bd222f2c7d326b7e6f5472c22c611a4e6c82539869f6d2fdbe43cbf08

SHA512
e4ece8e2c49f2c59efff178fcec6aefabfcb6fc3fe1c801b92577b15399f3f5fd7739fc31f55b6b62a51007dd7e08fc54506b7508f6628d44ebb6626c4f57e8b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8a58fd5c5c0b36ed3d09b7098ad3acad

SHA1
b8610093842d4a4b21f4b5182562081a043190ad

SHA256
819ad4b063f57a3a3b3a566acc4c2e026fb54b3e5d5659a6006290b2fed981f9

SHA512
1c970d7ad23944f8728a4d274ef458d338d32b7729979d6f48b903e3f0c56b1b26bff34046ff5eedec07713e8b0457616d4bd8de1d4ee587fb8f11e924e5d743

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4a5adebf6f36365817cb7e60125991c6

SHA1
d9a11b5f2ba3717359e65c192000ed92e69ead19

SHA256
2f197095562f52628680e5b85d66d8d8afceff344af6135bd99ef6fb8f917bc4

SHA512
125ffa7dc82162e25c5199e80ed64786e56e429ce37b56d9fcc0383708e50bb2021e83e5296405c6d07412b9570f10aabcee034f118617e77493059a3eae4355

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a8a0a0c092af310e9e0e1f404049f983

SHA1
4a392ff0df4422716d83b86e7beac6f1823a72cd

SHA256
c17ef2028d3da177fe65c33d845802423783fe85a0a65ffe0ce70ef9b00368b7

SHA512
7dba71091c1ecfeebe74f99151f1a013a5e5fd398c9cc929ce9776238cd8edaee37a95a8fbc292324b213334849872569618e5e66c14d45bca6e6fc63d9fd63e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
78ca619d90c0ea880c23e4e67a1a8915

SHA1
f69cbdd7747e175474a60221d380c371b19d99ca

SHA256
4d2b8e8d89540e3729ca94c5b880aafa8d2cc15ad48999be1250f3d15f4e987f

SHA512
e4f1f246b60aa72ffdb2b4ed6b0a171598fd02b8a487eccca6104a96d8b24d3eaae241a2f71d6157e59734082cb3d0d229d938b60647c4c4f97f3214a3a0ceb0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
adbb7a5643ad5399b99a7e0d8356e309

SHA1
6a6aef5e9f907e6372b61104831620d2383a44dd

SHA256
97c384574cacda555eb9bfb33ab71ca5132fdab766f6502dbb684def1be6d6e8

SHA512
8423f843411eedbb11a3db79019ad2b1187edf5984562476f73d6c7473ec5305f84d6c98aa0d34b5b80640b04435f1bdf98339040928fcf2d075c174f23c79b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1fe0bf18a5c34235e181353021d65df7

SHA1
045e1093f61063297f3defd588c123a19157b8ee

SHA256
2f352b649ee54c3172d5ec39f844f2f5acf2e375e8e55f99e5caabecd8fb226e

SHA512
89aa44c420dd3348a99e67fca83359f15c6bddc93b28ed5b2e2ae7cc257b935bd696d13da9ebce5a8ead1222eac669f2ecb8eb53d2bedcd862cf6d6cbe3806e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ea715e13013f410352de04b5772439e3

SHA1
cef029d6fdf039c1ed533c179e5c11d8dae6d380

SHA256
44e147e74373d3c8e0c35ce30076e24bbeb18a5737ff34bf15b3e23126c4bbae

SHA512
666ff6e8952df4970b7202fabe69886f58db0a012594020975df03350479f30d09687bc730f11def88c014c043230a665dbea2e615f6c922ce4e3126af0b7aa5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6d74a96f3556c0730108fb3e44f27762

SHA1
372530bf91f99ec765a9dca35b686e1fe5890b53

SHA256
ff70a2da3fba022362b911e433ab241e589cc56c12bd7c03c7977b3e604429f8

SHA512
a7f93a1cdaef7ef2147371673ff661960bb23b36c7a354180587396f68bf1dc5a7afd975530350dac2670e3498734a3d460d4bc5e2958b95bb6f1ae525605221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ffe9618c697cdf2aeb3a32b5b7f0b65a

SHA1
7f7b19c30b844ac658ba348fd880d55d8d0bea5a

SHA256
9b0059463fdaacf939d3578a39f676ce6b6b4ea8e56f294c867fd26296d8744a

SHA512
fb647b127600740bdddd834c0fa9f78af8d05d1c4a16b4b1b4e35c2345d73ac83a44030bf9ea0627f0cb4e5b03903a0899b84105f365409fc2115df1d796fe4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0cfff4e099434e95802b8d9e03a5f1b9

SHA1
dbed69689aaea56b17c796157e7c847dd6cd31f0

SHA256
cc9f343e51694d47aec96f41eae2c2dd97da9018c46cef4cbb11a4c92f2a8696

SHA512
4999de05f9d2cd1f705ef046662f11106d6fe98d49dd9e013121f6e16afb4ce7bc3a7169b13bc0dab3e79c91ce303fbf2d614f0e8627c5f16a487206e4fe75e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e8165aef5064f3ee6cdace25e4e9d91b

SHA1
b562285b97552f522ca2300b24f79d9c092bda91

SHA256
ea1269c74aefe54f3ae62ba3a245f0d6c2450ea4ba93346b0fa3a783baaf864b

SHA512
cef70b1f0e417d971f1c9cd09219b2b0fd16c9a0085bb257e31f98a358d552d48f5f6bc5759b47d2a85acbc1291e78cda4ea0854f31e668fb589b972535c1971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
69eb675501872d3a342675b176a4399f

SHA1
b2730a308bc174b37beffd902b0dfc4bf719a5a0

SHA256
41f33c3116905b26e3ae6909f13305013be873bc6423ee843ff724ca6388835f

SHA512
a6488d2a8ab2f3640fc00330952f7beb32c4e57a1d5ebd2d100026c10bb44a6948d6c9967f79a2a51708d533d3ed796d4fed3aff71613255baea066bbf8aee94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
82e8d8dc0acd5c5227b114699977a7bb

SHA1
1e0e35c965e4bfec9684a418aa06e8d8b91e49bc

SHA256
5f579dd3ecc3f621f5b4826a598939ffff0af23063e95664c055b17f19071329

SHA512
fff373f0ebc97fc24ad77282528f5df0a3a72d89a93135b3a4622716803cada4fa684caebc929ba3c965fa3788c1fd2328354e620304a09531be34402520d879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2f789790b9e6bf7e4ef343b69f4a9e51

SHA1
3aa2317972da5425ddb4a10afb23eb60c31a18db

SHA256
b63578324513c49c853c266c610ea58dcf3e2fee0b9980ac5d9d097c6d0a8f84

SHA512
98cc13a041b98fa2326742b31341509489691d6c69f884005b625127a913bc1a1bc3df3080b8cf191cb9f780b12b1090d0b8cbb8cd306394e73691134f4d4355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3ac377b44d22a61120df64aca386b11a

SHA1
d56c79d49011c6beec78d5d047ac892073441951

SHA256
5b9e5d6e087e7407b90656cb13ac22ba1d7ea46195cd905c4b08720a5750106a

SHA512
2c0406dfc89e80677dc373423fb4ca91177968a4eb06c49f87a0a7fae35d394c427c7ef5bcac2c13de090e273461ae2cd1fbab8013b35a5a71f22dd0d5a2bbf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3848f0c79b4b1842404d795f81dbc847

SHA1
789890a32944e43b94b8d20bbc30523898cd4bf0

SHA256
917dfb150178261e66f814806aad39a56e163b3119ce092bd1158719774175bb

SHA512
210a3972c206ab43a26e2dfce5846a30f446610754e9ae1b61858f92e5edb273695808d81a3acf2d913027f934b6d9548bb174896baee02421d6d20214132a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9620a79ba206e0d41444856d893c94b4

SHA1
bc1eb8a8f066005c1eb47e1beee756a8cb07af2f

SHA256
19e4e8aab0b1944ce7f498e5e1870c8383a5fc5e0fe74b83464f4a481372679c

SHA512
c1b57213d92d40b9659235d03585f61ec8dd610a1cc5463d436aa3e01f86e712e3fd60a36b9428479835c3983ec6dc0ab33f8d268c0e6c06c31d0e7f1ad0e6e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
06c01086828c31469702c424d25c9dd4

SHA1
d9d0b1800435c8612af7745658624d796dff422a

SHA256
bd198766bc87157eadf17919f8528a8266dc0a02d0bf914c1489870a76900bcd

SHA512
271b7c4ff63da445b48eaf7d96aba377b1596866ef58b6e1260e5429cae664dee3ba25436b84bce5d00e98e45ca5f8048821676dc6314e5a4c4e7c7539fa08e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
116096688caa514626c998cf89988e24

SHA1
b0bdc43cc80f26ac891f0b9fe662322660f00531

SHA256
0b86d92497931460998f4f074a5cc8565cc1f9f945a117e56370b44a47a70fbf

SHA512
a90ad8c9b97c5515661ce67f5e7021797b4efc4eaaea2148c50c45ea368abef7df1bdbd478fab13cea34010060b35062e56dd4a1f7a4ec7f32b611be520bae55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
984059a725d020a52f75f2f8db89f840

SHA1
abedc88876b8b54064d777d7351b91ae6e5b6c4a

SHA256
7ee89bcb837eedaa1e27fbe0b0eb764caf60b0393ae6d075753f124cabc00eb7

SHA512
7dff29870bc22536d843ab1d11298009c4ea3e29614cb5355274964b27b610ca23f8dbe9939a573980844508ce487932516e4008bb97892f3f70d04294f27851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
539685dc7c8fdd76927c22390fb28b27

SHA1
aff7aa0454cca52eb1caf579d251b61781aae0a1

SHA256
200aff0eb1c2948106d3f7b2ee468a73f9e2363bad7d36db47211e1272c76d7a

SHA512
c9b7da867fbb413230fcffad49a19b568362210dc995b567f8c36babc472908ddbb8d421e591d2cfaf2d602dfd0bdafe6eae727afb80ea512aaa680f91e3da66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dffc7616263c7ea0299e7bd9e3a4fb83

SHA1
78a2d369b3172578254954031565caa12bdfc1cd

SHA256
4ee8a2ce6c56cb0057641954127363ae0e429cf9cd7461b5b8cf4463ae6dc829

SHA512
a63b9301ce1dc7a291e58907d75615cebc7c6c3428397edbe224f19518beed3d2c148f4f3f74d85632507c32a85ccadaa3ab87235913fe760780656b01402b3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
86a68351970b596a6626c87acb3d5444

SHA1
3aacb9025242483450e8a29606050a0f05d52544

SHA256
2e1ccab500eb89c465c7e8ba43e034f9371d0da3d387f329b6ecedb93bb6752e

SHA512
95f70da1cd129be0f2584c969d22b5d6a00ba5f106da9abe4b63f8fccead5ff9e39a7ac2e2e98f0ebb5b315e6836c75d83361a1e905cec289dbd7f9c0b299ec4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2a3e62fd0ea2fe255541a7591b0c9a36

SHA1
c344aaeaec31c809bf1aa6468c3188bc0f53735b

SHA256
d02df6abeccdf3b0e31eb04cb1416df96cc91570aa7f7b8c2b14e10194175979

SHA512
c0f8d4125606eadfd4ba6e3406884b2e74244027956324a43671869ab8c7c27c7c7d91f768aa7a730d0fb7b8c5220fed2c9fdb9ba448b8db4d2af31dc425311e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f6378e63652040cc018f94f29f905354

SHA1
6359d7e562f775aeee24ba9cd973f60fea2aff95

SHA256
dccd0bfc38526a90b90fba44d4d3126a054c108d9f3f095e275d45e92b432a0e

SHA512
5e64824dc89f83c90db811392fe54129369d232622a130201fd4d2decb92371636e7b1ab465e88919eac3bfab93554b6300c8b52caa481518401d9a45f67d100

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
50060e75a24158550406f9f74a1eb6dc

SHA1
7c9ecee5506fa0eb741c2d0ad5c322ce5148abc7

SHA256
fb51605d6590db7157a62b6eb6b16325523d44dcd3f124eff689b2cac2a5ae3b

SHA512
9cb3c623ac9e1078212770990e1cfa9511aa0f0d3dd9a73469352bb0f40179644ae6dc3596a784a46da0612f9030fa0454286b64354b95618139bef6a555f397

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
37d6f40deed1bfb5c1492ce9649d134b

SHA1
fde62674f426ea8530999e5c3e11da19ad772e1d

SHA256
eb849b01e6b13f65e5927f0328af5201c2abfa9bcf4f8a0bd560a6330efcc26d

SHA512
03d6920d09df97a63468469ec095ac9c8f90593324e9ddd1c91dc03b076eaf56edc4a683e32093971b7d87752a33d3f82d37656d015377979590cbcedac574b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b46acc7ef4cecb2da4add04faf584261

SHA1
b7c70b0d51743b28ad43b6b298aec35df12a3125

SHA256
b57a722a99c59f54047ab168f52641c4b721639303d9c8c6955c9f948034116b

SHA512
645ace5d19e4c4b66d4009fc8bf67d073195e91116577ed4618fdc7c3dad91891991d0d04df4d7fcc956c41d61fe2ed1512ab7d570f3ea9005b6ddf676ea8bb4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2e34b68fb7aec069896cc38a7adc7d14

SHA1
01937dc98fb5c498f183c7ddf552c51a52702894

SHA256
8b749966a53c6f95bd57dd1b5fd8830f8b29f2b153da50cae7f66de4686a2d5b

SHA512
752ea63491981f7a9f0d23ee8a105dae4511f165776fcf3a053e7372b6ff0cb45773179d16405a333468f3892a83429eaa94ed879773e6e16b706d939209a8dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7ad6ad77a2192816b4a0bd315ad0d683

SHA1
865f13da7abd71c561058b1780366153dd41cec4

SHA256
cd3c803a19a9862206b4eb1466cabb13649149a72dcafaeb603a2d28df99c233

SHA512
d5457110999979e58a2eff0c05bcaf8d07f044be39f1914c2499a339d32aa5212ca42314f1e5614bdf7407dc5f8afaafdb618ffd39638fab12157d8ad64a1214

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bb896f624a7cec4f1bebf79bdb3759a5

SHA1
35fef7862480e3ae57de728b658505b4c42b2887

SHA256
48afeaedf1ec4d86ca9adae569c5b708be00ec34ea350afcf629db8237a36e2a

SHA512
d0ecd3b28c432d278e103f952a30615f2130e7b77708631c75f68caf2ffba3dbb311b3e694ff961d735618d0677c259a3ca7c0bff98107693d3acb16587ffb10

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
960ed739b4d2847d9ad6e3d2c188dd0c

SHA1
5f1a24131b3f9e1478145042566b4e5ceac17787

SHA256
83a4295fb35345ef68cb1d4d32f9b1d1767648dc5622792fde9c55197910fcb8

SHA512
ec58d06a835ea7239d8de66100cc7a0f963a4aca6dd9fbbc09630819f14863533ba97010fa704df6b979143fa80641fb0f4958bcafd36c548837768a48c4b1d0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
70d0fe4e7812e68a524f72e0b5fdeee9

SHA1
994ff971097fc0f3cc9e83072343e2bdafd310a2

SHA256
84cda7de3a07d4924958f37758000aa50fe75f763a021bce2a9273e0990e58e8

SHA512
50a7ebff4880bee30d378e3d2ac976462417b0d823ef3398d8ca6a0a22a1d9d95d9e6fd39987e7ebd74fbd6b565c1d6a7035108cb84866f0967f92921a9ed5c1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8bcf7910801dc57e9f8f70370aff26d3

SHA1
ee9d172238335caca748e39347dd0c163b7cbe04

SHA256
eb804ae2cf2a79d330306ac612c0eb4cde4121b95bc8be166a1f5ca563cf712d

SHA512
6bf170f5c28b6e914f95d55a5b752556eaacd932638f112e5d0d5efd6782121b6f0c5a9af8850980e7ad013a481bd01e73a14aa8f74a267fd6928bd0cf2f1410

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a6f3bbdbf6b23e079b259d72ce7b1afe

SHA1
a17460a15b600d20e2064d06b525ddb4b430c6d8

SHA256
9e8a64f823ba846f5b1602f026ce1df5dad4e9dac055c65eca2f9a57b49b986e

SHA512
7ccff589b100608e6274127014e12728eefd53d0cbb93dc7548466df6f92b02c2cb381a2befc7474732c84bd742368259c197a078907bc9f04e2d554b77923ec

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b76d98d139504ed25376174bda50115e

SHA1
2694aa8e0428189d63470afdbbfa872becf735de

SHA256
fbdf0c959e22789a604ba9ed2407ae6c5d5e40ae06f47767b8dd03dee2454560

SHA512
0542a140c4f2abb526691e37fdd6832609504ce1a344b49f01ca79d05f6dcfb763c5570278dd3376390932b4e3823057d7ae134edbd51c90b97b3f1472bdbea5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7db64128e41b733d4b295ce50eb2d8ba

SHA1
7fd927b1dbc6ed7e52c5f1d2b34d29016f8cf799

SHA256
9d7bf9f0aec42797e79d5b92919402cea3223d6146d9a61e9ef15dd788278694

SHA512
ea4d2b89d9bc3e4ee63aac9bcfda6b3db380ac38a8dc20b9407f62a8287fbfa8291b99d7bacdb56943c0636fe01eb48f26431da326da224e96e1caa216b48035

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
be559c17832024b8921ec9da43cc6fce

SHA1
ec26cb4fba882b82747bfd103f2b15d36982d8d6

SHA256
0329accd6b5c815d7c7839f50a901da8050fb193e01e2307e3fca5299bff3e05

SHA512
15ff97278b05cb1b5aeada9da67bbb6e1e542909dbe471db35662f3a18d1e7920f9a47a8f289f777211c25adc3279bf3ae4c1bb2846b3eb7a5bac51588719f4b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3fe70ec6c14da839f2496509eb0afd4b

SHA1
9aa9c38fdcf59b1e20bbe6c9422096e63b73b68a

SHA256
97c9601e6ef9ec18af724255b999a1f5897e254dfbca694c578d58f759cff011

SHA512
d28fbd99208eaffc21d6ea040bc66acf1c110b9d294b59499e4baa315808eace6de9a938e403d40ef5032674b267f382353160fe752cb2bcce75ec22dbdb3b52

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6da3a925749267e5976b152e2ddc0997

SHA1
80161155687264eed819f24c52f5344ff0df9f90

SHA256
68558c5309fd2b7ffa120534b7f1cf2728cbff0b96b0a161088bd4000d75f952

SHA512
82a05945091f32396c24297f39111a4dea22cff70fc39512ca9a8c3ce17ab9ff742469ba1266ea7ee6c22f5c8b440dfd664fd833fc06168e93be61c2c8b1d542

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ad664c1a6361a21ebc5c394a274890a8

SHA1
496a121c8608284dd31144188ddaf37d6aaf999d

SHA256
71e342d1ca4d7bbd716f2ce7fb15dbbf0cc4e792c259e30d53d57838c55468a0

SHA512
8d00feef54c4ff40b80d7a3f5b14a4776d579514452d9fdcc113c0c5cf6e6b8e7298f053dc2c2894facc3b968b59b79b0c41855d309fb9e6d500a4557d15a334

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4bdfe438e7db88f42a66ccbe55e64127

SHA1
35ded880e4e7c071fe42051a46e39f725d34bf3f

SHA256
45f6e669b179cb4d718570441b80371c55e9981d8fb0628a6ae1de5faa8587ae

SHA512
8960a44926b6d97fc75fc25aad30db5c51be8a5ae888ef0ac53453b45318a9f115ce8ff2fa3520aba197d4b14b64a3565108a6c33990812a6986f957ea553ddd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
299803efe1d2020ed9434a0edf1fa43d

SHA1
34da8959de0409493aa7c7aca47dd19f63cff3e1

SHA256
01011f29d0a7cc1a49dbecd34461043c2396ef96ef2dca5cbb635dfcf0704b1b

SHA512
edb6ce4a0785e57d62f69202c9d5143b58761f64f2930e07ad21ea22b917b21e91a4368dd458624b8f459a981464c819c698d94b5b12243048506223e67ea4e6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
127d62b15784dca4587e5b0090003d9c

SHA1
b416270de74ef5061055e08b252c3af6ac142692

SHA256
137ac490ddc123fdef8974db16a02ab0e64c5e6734c4c9e6205735a88af8af74

SHA512
3620974964afc844c66600f7484789b96c90b711430a5fefea628dd3e4c3d9b3a328e418d4f019f99aee5b5ac946a5fc71a9927e1214fe5c2d4209f8970671e4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f1ffafc8e7c5fc8bd0fa31cc303ac173

SHA1
2745f999a1c57d84c8468b30b02edfa0ec983196

SHA256
f42f403c890fb35ab08d5fe3283b8b7470549d40af2d66f8342410b79dab5b84

SHA512
30661d9c14bf05bc182b05b6e87609e399fc6bce809bcbd3d4d8a594070513e57262c0c9210f63d966e6b5c0e0893352c4a5a7092e1fab1bf2183e80b362bbe8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8242ce1015963b32b6d479a7a40af0c8

SHA1
41a7beb66625c3b0203058ef1666485b99eddea1

SHA256
303f985d60b30f2ab60e89ef0226d9f6a73e429585378b0377243e3b8beabafa

SHA512
7a2729571e47b40fb33d6aec4d0237433baae1b0a70e14c169dd9c055cbdea9ea700c29f9a20d0685b415ca96183d6dc319968fe941a5f3fb976ae213cec8c6a

Download Submit
memory/212-601-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/212-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/672-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/672-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/676-59-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/676-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/676-53-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/676-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/908-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/908-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1128-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1128-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1528-599-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1952-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1952-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1952-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1952-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2056-600-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2248-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2248-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3128-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3128-602-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3396-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3396-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3396-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3396-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3396-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3992-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3992-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4400-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4400-92-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4400-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4484-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4484-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4492-449-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4492-172-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4524-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4524-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4744-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4744-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4744-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4744-50-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4968-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4968-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4996-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4996-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4996-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4996-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5004-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5004-603-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5084-83-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5084-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5084-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5084-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-75-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/5104-5-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/5104-0-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/5104-8-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download