207e6bafeaace0c87aad21e524c988c40fd608f4cd08883a593c69709c7530a2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Size

712KB
MD5

e667232d05412275e16bbaab0ea24717
SHA1

5895fbd5163970b7416bafa5b465e7d8c30d97b0
SHA256

207e6bafeaace0c87aad21e524c988c40fd608f4cd08883a593c69709c7530a2
SHA512

0bdb2059d8bbf46322f1b4154932a1d1374e5a1e719e462402796a353a04acd105411250a2c56b66d23e3c63da5620bb5853f5a1d1bc699218d1f6107af37406
SSDEEP

12288:htOw6BaSf3SBPjZZQOcPskdzM0DZdwPCrUQaoGFU3Q5QitdsOeg:T6BtsdZCA6N3Q6itdsOeg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1792	alg.exe
3060	DiagnosticsHub.StandardCollector.Service.exe
4176	fxssvc.exe
4968	elevation_service.exe
3872	elevation_service.exe
3644	maintenanceservice.exe
4656	msdtc.exe
4476	OSE.EXE
1516	PerceptionSimulationService.exe
1280	perfhost.exe
4280	locator.exe
3660	SensorDataService.exe
3412	snmptrap.exe
4464	spectrum.exe
1644	ssh-agent.exe
4840	TieringEngineService.exe
2452	AgentService.exe
216	vds.exe
2440	vssvc.exe
1656	wbengine.exe
4584	WmiApSrv.exe
4224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\665e62316be280c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e85ce52aecd2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1efda2becd2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000916ebd2cecd2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024c82d2aecd2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057b3392aecd2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb5a5e29ecd2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b641e629ecd2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054acd42aecd2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a021ea2aecd2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeAuditPrivilege	4176	fxssvc.exe
Token: SeRestorePrivilege	4840	TieringEngineService.exe
Token: SeManageVolumePrivilege	4840	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2452	AgentService.exe
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe
Token: SeBackupPrivilege	1656	wbengine.exe
Token: SeRestorePrivilege	1656	wbengine.exe
Token: SeSecurityPrivilege	1656	wbengine.exe
Token: 33	4224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4224	SearchIndexer.exe
Token: SeDebugPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeDebugPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeDebugPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeDebugPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeDebugPrivilege	3596	2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
Token: SeDebugPrivilege	1792	alg.exe
Token: SeDebugPrivilege	1792	alg.exe
Token: SeDebugPrivilege	1792	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3012	4224	SearchIndexer.exe	111
PID 4224 wrote to memory of 3012	4224	SearchIndexer.exe	111
PID 4224 wrote to memory of 1708	4224	SearchIndexer.exe	112
PID 4224 wrote to memory of 1708	4224	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_e667232d05412275e16bbaab0ea24717_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0eac633d4c43fa538cdf9bacfb960964

SHA1
a7887f44164f1c694cd1ae1e1c603303abe97c24

SHA256
4d4b5a33f9c2428b4079e2aff513dbfa2c5836a313ce7e95565e6188cb6a1744

SHA512
598dc51eae56b449366d70d2754765f53489b74556ae00ae7135aa80dbd5d5f34e25219348f7cee297a67824e0a3ad2730fa9ca70fc8d120e00d5512fa0ab931

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b865ceb35080179936cbf4f6288568d1

SHA1
6b049f93fa28f1a3de0edacbee410a7ebc0a0d87

SHA256
b6c99be2cbdeeaef883057bd1ebee842805c165c8c7f5ffa3965fd5b62846c95

SHA512
8476a42b08e39a8adcb0a3be236b034d1d8e7fb6baca3013b2ac4d80340c565f1cbcb7fc849914248021c6a0d376c94390744e843077826b68299e1d33c71722

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
41b512ab3ce52cf1db7b693303b1103f

SHA1
ccd698882c73ae377281fce9ec63df9afe1ba269

SHA256
4d9c4fcef8ba5be9f1606e0b56e6f56b8639fb171ba0a8197a57e032145d5ac6

SHA512
88b32092065569c682ce6a42c9831a18fbe86240e1050136a0379cd7ac1db33d157654a5da0ab1eb4416e18ec4ad2115d52888ee846e21ee2beaafb1f57cd725

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
92bb207e7818cd2695630396560e63ba

SHA1
5dbb1c2aaa47c899415d2c285abdf3027412c2a2

SHA256
78c05b101104849962b7af5f754654ed4155748daebe8d120ff4b3cc5cb2f910

SHA512
555dbb714aa550cf8f7f4ce79eaad5364b0a2bbe298fb1c88a0d0040b35b781c7513d9bfdd81a2753b6637cbc460703279ad2ae2f21fd7ee61323c7e2901c0ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4a74c58c4eceb6472b3aa8d6f751b94d

SHA1
940090c6634a12a95394ebfd567f6a0efc336ac7

SHA256
37b2230a4f60b3bb81a5591a8c7e03177c3b4984f23011b5c2ca444d2ff660cd

SHA512
127796ad5f8e19583917e53a6ebf7f81ed21a84506d3fb8553e52d54ea2087c681f92c0905c71ddc39181cf0c75f1056b1394ca4d5e93c1aed3b86a07de9f5f9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f6569e00fed7fdbe7c48ebcd782014dc

SHA1
2e68568ba3fb7fdfd769424189e1d501fda00b87

SHA256
e64611e5116c058a04ec791bf6d52dfbd22e65379769da16f745accbf8fb3dc5

SHA512
e0570bff33e682c390556828a8322035975dc5cd7258be9288e28b01db292120f72a934108081c0e7c75c1f2492fec2585dd6fb2ceccb50bfdbeb3a7963fed6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5baa55bc8107c12bb792936c8f644fbc

SHA1
07646eb5c64f580ac91778669169c57a4814f08a

SHA256
1b04870a7c58a72cafab98f07dda1d78536831c6e50a0db92db0eb016f6c4ece

SHA512
7935ecbda3a978796b1ea6b530ec80e8e0a0d5f305384de2a3c14eea04275c141b10b35c4d38d56abe7b2fe86895075da5bddcbe7dc202f2841d06692e3b78ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d5bb0cf8b381a034e4651209591e46af

SHA1
5dc6e7584ce3f9d93c9d9e78c0c305d75a735c8d

SHA256
b639b901f809344eda2adf146f7fc799eddff63aa89f638b1190037e8434eacb

SHA512
cb5d66d3c1832870b73d3160a8deb9ec224438fa6334c472609fe5939545f8375f588207c9383b602657f6ff4607c17fe13f3982ef827bdbb2031289a73eb99f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
eedf356e28babe70a2bf6a5afc7c9003

SHA1
4785f8f25d39538300ba9ae3eabdf0e0c2009477

SHA256
9b19046e10c38ccfa681f49052f6cf5b6fa9308f112b7d507d0663f31cbfe609

SHA512
6316d1b8a2b549600f52c0c68a33d3bf86e9dd54aa00f1d0bb2995713da8b7154616acdb1049cd6cff9c0e89a58ded306f24dc1be94b726829afa1c7ce909e08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
34b7324bf07f97668cf3180cf5484f9a

SHA1
c5e618d53236908748e3e4e49c1142b3e4c99bf3

SHA256
41b9bb30ce6154e59755342c82ad92e59469aa71f9371d134187929d8114cdff

SHA512
b7134bac0cc16667f4f2eec2501fececd0e2e592fa018368af6d9c1e06cef094393e77d08844acce9da81261f0a4d3eaccb7c445f17613329035ede15d33d83c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4ae6ce22183a85aa5be4238005f7beb6

SHA1
f5ed089a68f0a0acc948f9eb38748db933c7c090

SHA256
a63861a0cec20ad4b4ffb3493d38b4418daa5e51269bde364538902fdb9516f0

SHA512
9f821502488b77bd0be0ca88f6d004f88d8673fbcf1cc844d9e6f0c76d5cd6b121233ccacd6da29c92bc872a06f1528423ed2647bea38ca8314489fea17f721b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a4b72f2fe71eade8a4ba6a5975784b1c

SHA1
b5ba50ad2ec5429fda8a747081b5de4a55a36b82

SHA256
42af331eb25e0e6b5000273ca5aa293b149e5b01cbe65c0755fa40f9d75222d0

SHA512
b7fc08c8b7dfb98d9f011a13dc9ddf189405eb0db2e3020325d95655f559cb11f8d841952164a15f2a384d84b5e73520d5161078df8ad8a254c4458eda226c1c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a8600b91f5fc5d55d15d48b00b2a5945

SHA1
69328abf040fd02549d294fcc806409d43490e3c

SHA256
5f8d7e04dd58117b1a8feb6582c9a691407a2828b904ea7752046d7c8521eea3

SHA512
5278796ef8154119b78470c8913d3861a4acea8dfca3cfae90ddd9e3aee14f4a51ff04c1696bfff3edfbe8513c14db96f229121e237a485717043accd512009e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6d7b7723ad6af097c40dd8315350174c

SHA1
4aeaf02be94d86ee375e9c3a99400a2a6f418948

SHA256
99d07a6eb6566505166f46af7d342b26d0bdb567a135add3454da4a6d45ba130

SHA512
17f219270297729f469d7d5fcd1a28c94c8c85851571066060124ce43daab8e53245b94a2f17c45ba89cf99a3db51fe035b051e685a4404e0c4528ff619a5775

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
77a0a28d5cad3b06da111d9d6bfbf296

SHA1
0c1152858950e4e9d834514ad406bb9993720789

SHA256
18b75fa89249c396cb0d548f82dd3a642b11e06bd06996d3b452a9e4b518cdf8

SHA512
30c7d448361ad11dcaec753cbdc7ab1e3b3e8231dc071921c15f49a60d22f78059acddb0a0f9b7f62c43054062e9c306599cd37cce2ced6f1c203bd805ddd870

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
80964d5ec1114409eaab0bd1031af4b1

SHA1
d31b66810cea58ea06e55ac4a58d24ce151609fe

SHA256
e0fcbe8d6f1f0be1ddff027af6c11ed9fe8c8c81438f1616dfd7ba60603fd42b

SHA512
167eda49f134c97f7f1d7cce47b785f948998a1d63209e0c7010f9ba5ba89ad722d4e0f3e8a58b40fbbf307d16579fa97855645568b1d1335971e42ecfc1e8a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bca3b091f8007c5e9c3b1b6fb6bce4b3

SHA1
23b0d43ed80bff36f4884723bb08df7b012c762d

SHA256
113c9d2ddd406da0fdf3cf3ab6a46f12504a9fe36e8e563f89dd41a439fb382b

SHA512
d408e30e4b925cb13fbac8c0903a2797b9fef8efdab6b5c9aafda5f38b5a8192cfd492c9a5982b46f970bc492d754fbc1394186b81246c713f89c8c0aefe2101

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ae35526e34498ff7b55c3da3d04e0b27

SHA1
09eafc81c1b048e848d4f54d62de69a128e791a9

SHA256
91576330684fedcf36bcbf108fbc61ddb79ea7928196a847c90ad43af3a7f101

SHA512
051bd9314435758d2aa306bb3de5dfcc6ed8d428ccd718114d307f3de74212736f24e58a3701d66b2d539ab779df4198674ed3a4d1d611d5776b5401caf54d45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b18a1fc1f3118129d05e2a324c1427f7

SHA1
871214c216092f872246de31e39faf3148f7f418

SHA256
4764a97c541e14df1bdfdce2a59e63fd41205f8b340e2504cd16f5516a7cb432

SHA512
eb5d88c1e9caa27c4fdf2c9ec11f2f2e6d022b6384cff57be1a34418c44d71fffa7892c4be48bfa2142df9f952ef97272fd81f6e5479f3a1c7898634209f4eb6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
be2f95a8d2d179e799d5d045b206b24a

SHA1
c5826597e825525360600d3948f2195c8a07cc3d

SHA256
fd5686a2128fc7d9ae64b04eec1a6aff68e9265e8c27c77e7b8fb6367d1962e6

SHA512
74baa29bdcda208cc1e89be517e590c25dbf9a3cea7ccd93bd29ac14fbc1ccb16b5dc65eb9d776ff000b8bc507417fe78b835fd909f3256285bee63ad21fd9b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
67d9ddfc211fa7061592f134efd664be

SHA1
3961713577ae0075ffc84005a7d4491710a8e780

SHA256
dd8467d07428045db39663bc17e338fa0b646d88230e883276afeef482a592f9

SHA512
b504badd354e29b26976cc02be3bbc5529bbefd41f4cdcf43e60df518ad52de55c3343502f04e060159dc7d3444ea2af250d431c4abf91bca66dcff6d8e05adf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5d9188c32c72b144c932c09b08bec35a

SHA1
a30acabed8f110693ea16eb0e0cd2de5204ae307

SHA256
6ad0c9adb613277a7bfefdbf97922893a0c5e4248f266188ba7d521765629fef

SHA512
d4419a65eccd1ae370f21bb810a6d8719beedf9715aad91ea9a75a7dd34c94d23fc757d02ac0876c91ecae9f6f096f9ebfaa9b7142436adff9bcfeadb7581233

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f48a0344197db7d15db975bce7166f8a

SHA1
4178ed78c63e507aa6b2740354da588beec47584

SHA256
3a4993d00aa77d6753c94100e810baed17ad0f342b9f3ae0306bfe744863d19a

SHA512
b79bca7de91cb9b7ff5125334e6cd2a3377a8999e0024f1f2d7975c06fd1ab55d2bec1a5689dd670629e29f463fcfcd1ac803f04f8553b408e3d14b67372cb2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2d2096a9483fd39e288f104c753cda78

SHA1
42218b29cfc804627bcb9e60abb5d7fb2fa551bd

SHA256
835e15284ca6f1c6fda0070d51b5e51427a23b594aa5699dda560c0d4144c28c

SHA512
9c5f18a1f5b72b2f71889c8caaeda9cac5fe3562bd77525425f673ef40eb488fc89e3ac65961529daf544d387a4a3af99836f3a8b7412e7239964ead09689ded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4cf63733abb86c952752fcdb6f7429fa

SHA1
73af35be8dffdcda2be9f61ede246af775f47727

SHA256
645594a2a24c1ce90361e160ca517772558d6f3b5e5595e4abec1c41e30bbde0

SHA512
de6939f3b07b1b7146b5971089cb4426972230fb120ecf799f1a92d8eeb4f48d0674052ae5cb11fd10f8f02ada6f4b01090c048fed02cfd89377656df925febf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ab7bb9c1e9f7dd5c43153d14657f707c

SHA1
5f3cbed736979f738f40f68b88f2cf8e75c4bea9

SHA256
c50fa5d78310365641194f06e456473f364841192c028a04387615a09f1f0921

SHA512
73c63beb3b7f692263399cd46451616eac2c5332a59edfe8a03949864787e39b9ea4c8fefe3341f02d6c32f965d36b53c76e3c8ca51fbfcb061581a510b0457a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ebc810ae9e58453a72d7b4d880ba244d

SHA1
4b653ad0d3f5c724a694929e42d05de571b2eca5

SHA256
44042037e9102b13a30487caf98c32c605b90f3e27a5d5eeedeecde524333773

SHA512
53ba34acb3ffaf194a661616be14735a6fc9ac9b62d41f53b09846b7708b142ed64f82191f9b03f0b46af55c808270534f7dd455dbd422a8215fa2d12b3ffc17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
91709793215afa3af8c662f3720ac9d1

SHA1
a1f1f19d32cb2cbfd7d3e16b231d1fd90491f2af

SHA256
1b42fda6ecf64dc5396527d2405a7a11c416ec0c4efd6e30adfa82daf3d6efc8

SHA512
c1d720d0a80a5fb374876a201aa613c085faba7cf26dd6bd1d7c74ce529d5ea63c4b4ddcddd71a9e93984d1db46fddf1d2f91e9d1f2594936aeda6ec5cc65af6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
285e94fa2c07c9ba8347af6059af4b7c

SHA1
5fc1decdfe28acc43cac705258f4ca1889b353fb

SHA256
5922fc9e58a7ace93397fe3e6db69a4fded9cb5233db523b891aad1ad1e362bc

SHA512
7bf609f340e8bde03681235f25e62e3f158b1cd4c3163e48bda84ff0a42b284f4009989a2faeb731e27c331cf36206114c1a5676b13b44efcfe9d48f322a89dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bc28e2cea77791bea5a3317b868fa474

SHA1
79bbfdc83baef6a67bb3f8d6607d4a1247f25a70

SHA256
d6ee4fa1ac7169756b9283debfe6487d45ee9764260f0d49b808968dc07105e6

SHA512
f136a4067adce5c75f15c4513b701d2038a25a321bfcb6c1f1bbffa836754abd51f9afd9dbee39e58b54c4a4dc975e09e19fdc692f9fb2ce213a22b8e4e68609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9bd70e5b0211d6a8d19b9ba1a7cf3c28

SHA1
c78eaecbda15aa749a91333d07894f69b645034f

SHA256
5f8fe62be7f42f21a1f617c107a93e2331503d851ff60ed1a27afa24e3aa36c1

SHA512
5be790e9ffd37855fbbf0bf88789ded968c861b709af1805da1111c4781fc09c8b359f087586bae55ab5fb53a4facb91fb7d7bda6630fa676bae3018f409f50e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
45cfd80ddab2f1a767083ee4c9990539

SHA1
e809c32a7a8b972a07cc9ba242f77fd564c9e560

SHA256
305caacdfe93d4a683d3ada459d2acbfc5bbf020ce14abcef7a7b36434de6632

SHA512
a8d4a7ac82ee56caf239cdd7329f9ec2b3e846f31ac09f514e53f9c1e57a3dff1f31c28722a3993c45f4c81fdd3ac90b462c8ea169ad7d0c99f4e6d9f4053022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b5be7056faa3983ac8f5907f2a04cabc

SHA1
ce32889a9df4d0ed0b8c016f35cbfdf051449a25

SHA256
c33c350d5a28c6b463420f244f995d3b4b0d41a8988a9ab20d6bfa7ee7b09962

SHA512
3c9b91b0a0f560f318678c4bd15d921e9e056f42be5382734c0bc0068b432856cd5ed54002c806ee2c89a3bd21caecb423b8ffd18368748f983b300377b4c0e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
746f208e8d270245e64b4535f374eaef

SHA1
518a018fce69aff6c9e081a6886a376b51f02c1a

SHA256
02d861bd86f7ce9aeb32deb5863a764352ee257dedd9f8f2d1762ae3ebbd089f

SHA512
b917921887fd9c9be4ec4b22afc4be38a4edc99be9d4cd212fe0002dd5ebc9e4ba2812559f23b670e5e33e03e5b4c9ae74c668729d3d54fcf2d0d1d9036ab66b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
67bf7e0beefd08fbae6a1ec7f5df2f27

SHA1
3aabc9bdba43938ce023a690e1f3bd35e0aa3228

SHA256
ee9562aa0d6eb5b85870b0414114f26b96f23db42ddeeec2c363fad1d69e63f3

SHA512
05db77ac91d4f7090d4e7b232289903c8ee1050d8f64d248d6dd364ace05f25818dfb7eff9a7414d5d784a86a2a7c24d9763b26111a4c3f709937d09acd963ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
24270c83f1d770c16e612cffa7c966d7

SHA1
3ee0e1bdcc61515f117ef9c273d6e6df2348972a

SHA256
f45532c727cac327b4326b2315a1de80e0b46a0757b606a49045f08483e596f0

SHA512
66dec3438c45c2cb00454a064807e96b4e8d9a4b688f5f2b40a64a664ac97baae48562bd87f370d25cb4887a2597ce1a787189fea861523059ce2f0641a4ec87

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d3ce7a54d3c29ce2b9a667c246a142c8

SHA1
5527bc8d5ab22fcb4f702fcc468d168f36500e22

SHA256
aa254ea28135613d083669039b3db55a48456c94a22380797d44058adb3968b2

SHA512
0da0bbddbc00efadaf74fc0ca4570412c2a9fbcffde50f30f16eacd1db151f97699ae2abacddb85604b8459633e50005e00d7694093cccbe4729ef4db82c702f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4d34c7e3205e23bbb2934481c06aabd4

SHA1
06d69c6b8013c892da662b701422a48b3a7909a2

SHA256
7105cda224d9d6eeb5085e335dca7579844606aa0e181065faf96c2a0625b8ba

SHA512
57a495a3c29b0b2c59a6ba9a07a248a4836e01e7b3c294038add6066c21b5b55fc0bb5f88ea757b2c40572b90e3fe483c5af75cd9c79cf55e7d8dbca3e55bc7b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b4fc3ad36a93c1bd1fa82b33cac52f2d

SHA1
8d104c3b4b0988cd6ce9efaad555c1e6ea6001c4

SHA256
08ee0ceb2eb31115a48b7bbabc66e0822aa8fa770eaa7a51cac29151288de554

SHA512
2709939a326953909a9debaa6841ce5647f53d834b39220cb7b1a7dab1f82ca5d24308e8aba5c7808e485fd882261d4cc0ee7ba27fc5c3e8843d330680b6929c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
269da89ab524cd94906a0280c3656549

SHA1
fb35e1f02ba6b5cfe15f92c6798faf27b84830e3

SHA256
68d717a5ea22775503b3074647e55817f37a9de262b529f95201c882ed61bfcd

SHA512
24aff8135de8b25105f3f630bfda486944ec05528e5f0c017f66e32cb2a2f1437a44905db3740d1f5b1f59e9bf19ef696faa6450041687f8b1af12e380424d87

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dd5b11114a24a64c168e708458dcf7d4

SHA1
f0c2a316a725b34dcd312ea059f2dccdd86bd42d

SHA256
bb75a1d1d40193c270f8988428d6a06998242974b33583a410b115c38f02d79c

SHA512
5bd074db42c4fff1d1408a14b9db156bd039047977ad95b50d7275165828b52cb33fe1b55d7252cc42e351179975bfd4fba5108408c4c744fdbbcf1ffc6bfe5e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5e20e22b71b153474b6c7970631ce60a

SHA1
67ffc32b43e7ba0c09bc573515951cdb2e0f8706

SHA256
c08a35004907f0f6e1824a3783eff5acff24d659b5283bb34003ba3947196e25

SHA512
00f56c708b08514214a89ba7943b9807854b827ecfdc8656aaecfe0fd084493c3d8631b838737ff95e64a58ed41f9052abb910f5fa3e28dfd6c4aa55303a7f8a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f83b41c99eb74d30b534e80dc6f13099

SHA1
f7f31de12c0202c5ed2696f6e43330f425a42dc1

SHA256
9c767f7a0ed0d76608ad79b112187b46c270cdc2a2fa945acd31f28d49e79daf

SHA512
1fe091c788404df8f252163bed9d9fe2e16fbd3e6977c2290b31bc25b576c696069fdd1cfd675c94b35fe07798a20a8f7babf8425fdefcec67da3949637a0b83

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b82bb14f2d12f5b6736b4f686b36d733

SHA1
c8b0cc2bc502adbc1668e5a6ac9d55a422be6e87

SHA256
6e2953cbab3fbdf10168ef50f739757d6e6d45262fd016092413e83f57ee31a2

SHA512
d2182df5290224fb9820b73979f57f79ef561114313d0cbb5b3cc623e40c4d7363ac33271c1fa0cf35b3fc722739a96a33fc8f927f91a1bd7c9d37902c9f3bd7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
353d24d354876718e70a348e284565bf

SHA1
33ef7183b67e4cdac259e8af904911df9250d86c

SHA256
7ccc4a2be7da75ed2ca8bf23972a8b2e0311c44cc7c1c8bc0a67d3ecbe865f0c

SHA512
fbc58a78cdbd78cb37a7d1cee57b1552d7f893ce83f1c57c553eab2fa33d032fbf472599ba1bcd54fecd204c5ea12b01ed98a0e2df79d6ab47ce04b4cded415b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cc5d0fc04293e287fbe3b0b975eecf41

SHA1
2078e8962ca31cdd0e4c759ff3ed82ba1bf5e213

SHA256
8cb1587a0c81069248d8cc1a6b3a9f51a69d1186df0114917fc48f8e8da62115

SHA512
30d61a949a9882e30218d1ebf76f3fe30279cc20797f6105e47a6b825edc4e436ac9c36302066c7cad5cdcb49196ea37e36719750b18705293a822ececf2952b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ed1c416315d184d49eb927a83b28e8c2

SHA1
8f17990ce052eca39ddad87c509ff884f18cae79

SHA256
bf7e55c45ff09cf05a2c1db648d774ef305c3a0e1fd2d8ae38c89796f5cdfbe6

SHA512
b1116bd3c26101dcf8e774759b9efcd974dfa4e6a4801d608831628b41469c52719c04dd5a39e414d55b3fce0f8bed0188426a143da06bed2b53fc43ea795b8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7a58935abc5771fb73c311395215fd10

SHA1
fccdaa0ae4d01175ec13e4d62d0bf600ca14ce71

SHA256
085468fd04ef26e14fd25564335c174874d2542e4573f2a3f5181dd106ae24f7

SHA512
75435752cfbfe2597ecc8f0cf450a5e693a7f414d467138216cece288154c448b3d966a2a580c610ad799fd9d5179a7e6ead1ad2ff408ec160ac5f2d6265a9fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5591edcc5af50fd2f8933199d92b402f

SHA1
19afc4bb293e07c457dcedaa27bfcaefdcb792c9

SHA256
5a7495d4e303bc2704fb7978f215f2f238fe5cc5c5a2f45c14fe6dcb208959b7

SHA512
0a67160e87ff3073edc5d36cc7f5c0ab13e916b21d9b7e1ca39cc2710ca4900a42f9fa6f04f02f3d8ab50553048613172d4a5300de526b81e3d6cf046a858a15

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
58ad6412bc27cb5e902cb23ed6b09fe7

SHA1
ca01010933d4511d462ff5c5712eb808f5ee4255

SHA256
72a1ee3fe964f9bd3548054e66a9cd23444624c4a86c23937fbe2f8ae8aae00c

SHA512
b0a5eb79a9d2ce41141c5c1665e5c1cc13d8396baa6b73e5ea7e5c525e330473534e3b7f03ef041714b8b93388b346335e89654bf437d6d178a5fac7c9ea6ff9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
eedd32761632be03c025ce91d439833a

SHA1
92b7c92baf933b8c4209a38fcb957c35eb1d47ec

SHA256
47d9a04595309b5ad196edd3c46d5c5a453489285b0d8000ed5195094743646a

SHA512
051fe5b55ffce5837735a620b37729e4ed29bcb016a730b193513cc0865659b914a2885b0b0dc0edcf134dcd468bf37bce13b75744e22067c8990b2c6ff458dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
728ba0249473d6a15ee13a917dcd40a2

SHA1
b5e8cb8b681d34459276a406b6704643567f16dc

SHA256
198a25d404d5c3b87c9e7dbf7bfb7635f850911131485f0531b31802dde29e85

SHA512
b6aec19a054fbf55e6c1659b49f760b2393bc47c4300132b16f86805dc9e6b0916c477bfa08d66758ae0ba776dca389f0c1fad8779af1319faea0d7379e24a43

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4ae78f77c364c05568b6cde45479560c

SHA1
f80fdce818a2202ddbebd352e56def215ed799d8

SHA256
b438762cd33f6d25161d0b2f1aacf0d6fff9c31c6b50f9c2b391104f27dcab03

SHA512
28be0d47956877640d3419bceca3040c7f126829835fa39e47bb72c402376d4f31c20ce002c87a206ba315a6016159c4ea33c8ea2869e3976ea9589b4b76c789

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a1f49401ac4e4300798fcdb7df0036c7

SHA1
fcfca0ca5cece7fc0ee3f5da8213996fe613d688

SHA256
a1c332bd7ad8e98a2261c3be409769e10213e9a2b09106dbd164257ae0a71d80

SHA512
b53367074cc2f04eed54df5b8911504676ee6c2155b50e90c76ec958d0143a06d6c82f3b6de46f1207208ddc704f2e9f44294e8fa5ccd68445aabb9e32313c77

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
16ba98e0cc59ffc1b9a26a15301552a6

SHA1
c7564d4bc6945c3ba920a72f99def2905ecb7dda

SHA256
9d7597669d3f7d08ab73a81e13f13766cac63ce7e5e85a4690aec3403649a349

SHA512
aaef413d49a7eafc6fcfc6b6f313f814aee012dc29c643b7350731db8d93fb1a312de8632ba37a060283fd45d860a8a0e573b6b44ed3662974599a441a1bdda8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c7671e582d368bed8496497920dfaf3e

SHA1
c3251d420f874ecb57c0ea5483c5e93f4ed56f15

SHA256
db71ef57286b399602e6bbcaf56ed1da1d386bcd808cb96983766ea540b76c6b

SHA512
9639dfad7f24af78ca4ee064261d11371c1e591b3a9e5c5e8374b87b1f256906e1b1ba3ab17362e1ab255ef15247c5341c1c0c0a0411f201301190537ac47725

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b7d23f7246ee55d921580dadf84d47fd

SHA1
ad690df8567578fc7c8ab25bacc9eda2cf705ce6

SHA256
1401b55cfff4e7180463ff59995170e87962427b0dff6663e9e919cf9f0a8fcb

SHA512
f8bbbffbba20614233f5ad944a1055c80e467642f69c596f325a267ea6e85e8451c7ccdb5037a63a97b02cf263627351f3a812672b929dace0db830fbbf33aa0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
52a9391bba4759f9aa8a8643289381b3

SHA1
0b67f2482b745fca8720ea9da01c2d6fe4476a81

SHA256
2c253d4ebdfcdcb165847c3d295180b27d95b38e22f26fea7977e6eabc15d22d

SHA512
89c0696c3189f4c483554eeea966612679e58790f9dfa5b74cc269dc01ace66e3296e9938403e15fd0bdc533f63939cefd322a2f3d03c1af04596562df30c641

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1658473c8349c74ad31851bc15a3f3dd

SHA1
781b5a83786198e7c67efe0c4dc99e7925908948

SHA256
b5da073655b14011224c40a5d2a1acae1a3f99f8010929c698f1701a8f1e151f

SHA512
756c9c052a4768bcb88087dad69ac60eadf501047b486c948950aebc572400659270da59ca4f9cacf83d301c00bd0cefbc09bdf114fcf27ffd61929958eacce0

Download Submit
memory/216-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/216-654-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1280-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1516-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1516-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1644-516-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1644-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1656-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1656-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1792-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1792-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1792-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1792-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2440-655-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2440-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2452-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2452-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3060-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3060-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3412-427-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3412-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3596-6-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/3596-1-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/3596-89-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3596-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3644-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3644-85-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3644-76-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3644-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3644-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3660-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3872-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3872-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3872-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3872-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4176-44-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4176-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-38-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4176-49-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4224-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4224-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4280-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4280-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4464-461-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4476-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4476-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4584-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4584-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4656-90-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4656-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4840-653-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4968-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4968-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4968-53-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4968-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download