de9a9f13b44c59a5c2bd51277e6785f62037cddf22cd0a0227d57b2c88af8d43

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Size

712KB
MD5

99433a53dda567ce67141db2f6ae5238
SHA1

c1db414a5bbb4009281c69ad17a8f20b02d7f632
SHA256

de9a9f13b44c59a5c2bd51277e6785f62037cddf22cd0a0227d57b2c88af8d43
SHA512

c37643acc6b250101488feb3582ede2800ad5577beeff597d754a215a3e1e41829a3fb2251d5586d5a74980f9fcf34414d676156571df46a8bd35dea23344b35
SSDEEP

12288:UtOw6BaHMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:K6BjSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5028	alg.exe
4392	DiagnosticsHub.StandardCollector.Service.exe
2912	fxssvc.exe
2396	elevation_service.exe
1404	elevation_service.exe
3152	maintenanceservice.exe
4220	msdtc.exe
5020	OSE.EXE
4940	PerceptionSimulationService.exe
2548	perfhost.exe
3312	locator.exe
2168	SensorDataService.exe
4212	snmptrap.exe
3804	spectrum.exe
4560	ssh-agent.exe
1748	TieringEngineService.exe
2132	AgentService.exe
2932	vds.exe
1340	vssvc.exe
3076	wbengine.exe
3196	WmiApSrv.exe
5016	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4d82ec3890c504c9.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7ed0cf5f2d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000331052f5f2d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8efcef4f2d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0f290f4f2d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c399b5f3f2d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e9a5bf5f2d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000824ac6f3f2d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeAuditPrivilege	2912	fxssvc.exe
Token: SeRestorePrivilege	1748	TieringEngineService.exe
Token: SeManageVolumePrivilege	1748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2132	AgentService.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	3076	wbengine.exe
Token: SeRestorePrivilege	3076	wbengine.exe
Token: SeSecurityPrivilege	3076	wbengine.exe
Token: 33	5016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5016	SearchIndexer.exe
Token: SeDebugPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
Token: SeDebugPrivilege	5028	alg.exe
Token: SeDebugPrivilege	5028	alg.exe
Token: SeDebugPrivilege	5028	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4752	5016	SearchIndexer.exe	112
PID 5016 wrote to memory of 4752	5016	SearchIndexer.exe	112
PID 5016 wrote to memory of 2184	5016	SearchIndexer.exe	113
PID 5016 wrote to memory of 2184	5016	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_99433a53dda567ce67141db2f6ae5238_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3280

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4220

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3804

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2928

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
517fbbc1e5da0cbf79aad8fe069d6789

SHA1
6c8c620fc49d0a2bc10de848cf9e47f5a7808759

SHA256
c59b158564f8d8aa44653a20b03784fed4c5b94f36d9d29ba89d3f489876fc2f

SHA512
41a8e6fba78277aba548d04cefa46970de1e176428a4220f3a7bab19d67489526c13e9c99cbc5a044cee57007a2d3e46fcff05ce2b7fd5281b7279eb01cc725d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
95c4f2c5d506d1edf29b0c3691ab8d13

SHA1
f7c1ab2b40a4d97393f051ed8fa16f917eb93e82

SHA256
e321a1d3857860c18291f4810bb1a8991b372b6a103d72e632f5f095a19b6f3d

SHA512
4af4e87ec7cc14196a000f5e33591e4f89bb25cad43edbfd6c7f8f32d62a97a72223696df7341353526c2515bfb649a65d7c5dbe9b022150def0f7aa12155fcd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
80b783906b5556d51c004ade7bb57e15

SHA1
e577c166bcd73496fa385e5d3e4e6854038e04a7

SHA256
a5dc5de81f647e5af640307351b682c2372cc9a0d980c9f8998f51b66440ed38

SHA512
a32c0b9d18600d942a058c21d575974652183f4fc79eddb297b48070dc8b1302b9ff36c65cb5f082e6aadb084d89faf33a39e834c22b4c0dbf1b2e4f5504b215

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2743a02b827797c4b9a362acfd4864fa

SHA1
022d475c4c91c39057a78a65fed66e204d48da11

SHA256
89d7a65a8a4e0fee78da6916b090a9bc1ea116cc719d2c1d1f00e4933f851d04

SHA512
61b901d744d59df42aacb8804524f20e23ccd685a46140352e1b446991166ac1c482d592f72bd73f417383c9378587652c075121a0bf79e2ad3e759646f6567c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
34910977fc4403bd526537e0ce84d4fe

SHA1
321a81be19b89540fc2088f0ea79953ddd90c474

SHA256
2d0079799191efa2a5b4eb2df433251db1bdd2582f5b6dfa71aaebfdbeb22f33

SHA512
c76db897fe7c0ba21a04c61b8647f59503d4b02b1c9ad1d4769d90c83c0d11e686c73b868c0f1574ed466a12053d388c051c5c71fb613021e182c5efa73f693c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
40555171abed2681bd76db5db629591d

SHA1
29c598aadcbb0824999b430390634515e0d1de5e

SHA256
303c2d23fe3e4aa95812ea6837ee04e72ef851f3f82efd0282fda57c8b74b393

SHA512
045bd42ec449bbfed596fd7ac4f31b803ea52e4c0a616816ae1a9ae8442f49c0bf7513f419affb6933e2cfb934da61be5f30f46375d656fc4db007784606acb3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7cb9721d39f2faf17b5809b1cbe4c446

SHA1
42fd24b0a45589cd2a7c1fdab0b3efeb5482fb29

SHA256
ab4f976ee36f93478e366188b81d5640f17bebe5ecf6098b5116102642fbe6f5

SHA512
6d785a3723f2d2654bdae0164ab53d1545623baf3fb4bc183f67df3dc8374414e106ce36d14d31f3e166d07bc9f061e6109fc560ba3bf2a224e34a1ad01d3657

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7bf32a22ee5a71570e974086531948d7

SHA1
077ab8c8f5da5eb8ec438c83f4b3950a1af9a049

SHA256
3d394ff146be083c36e088bd4cf78947dfa0714a90447587c4eff7f36a0491b9

SHA512
605f562ee315649673ea304b7df62ceeab31a1c077b341d5f30412b2692eeaabc5375f849de322efa76373f91c09e46a0df9c42e4854dcdaf749cfc3517bc8e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6cb4e285dd9c834517aa9e11f0f922e5

SHA1
20502229da09dd42ed62fb885217467ef20b8536

SHA256
6c80f9b819b774251ba67a2e5cd50728fd994d6c9d24a3214d9b6025b512312e

SHA512
3c9c05849428918ce10d62aebf8ca01d4a06a60d92e96be5e03360aa446e3d5b39d99f9cb3173cb59ea592735af2618bec5ce622910349857f2b3897f49d1a05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c869fe64cbc4bf524c96bd942808e41a

SHA1
5076b2b64282a771abad1030110de59a745a4c07

SHA256
e42d0aeec988248af6ad1c9da615cc54b2b3e4df4aaeb3e1a08591a24bed8c9c

SHA512
012c8605877a5ffbfd309ab8ceab56fa476884b798398772771a8f69035092e649484e8b8e844785882da3769cdbe93ff5a4c063780b3789fdfc525685379bea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ac628c6af9a88b5f358589c5d46b0ddf

SHA1
99d62f13c2caae3f4cb87780e12ef263e976698b

SHA256
17b1d43935c96f26c6795db0b557853fc06288b58710dc1ffaf5973928ea6020

SHA512
bf146f89e219a96fda2883f9ca8faafef851fadacd0605d5628075fee91700ff9c6191ca1a48a294ffe5ebc63edb91dfc01ed63a1560ab99e5c47af5d3083899

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
295e88ce014a6860258b20bc87fe236d

SHA1
5ed3832ddce10debe9d8399d2b1a27943913f181

SHA256
86e2e3130545a5c6732b209e1ec37d5b617d216150df3ccf9918766a0a26ad64

SHA512
d64a404d888366c5d6f7137ddb2b4f524956194f7c9edb38d8e0f28723709d9d565d58444d2e70a1263f863a33d9918afbeafc65fe6b241de00d90a3784731b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a0d6941e07c00e86b433cffe1508529e

SHA1
851fd23a5b2c1b0e22b383ea42e995f19d082ec3

SHA256
e69043341a5c2d8ac34f347fbf1e171d1d1fa5d4b1edcd32a5fe11e730868c4c

SHA512
856777fd9023a5e659ebce3756f1466c82cdbc36d1a0e44a98eb8966d622e47cb55788751c688224aa803f52a6c6beabe09705fd948894edbbb8bf19ada485c4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e16583e0607cb8197d8d179e5e43c685

SHA1
1c4464cdc6898ff529f9dd249425cbcd0121296e

SHA256
44db82af2956b269ab5299f61baeae62f879ba9352a479ff9e014fcb9867cbf3

SHA512
3aa6498a5b7ce85c96be3c7d933b1b9721e6072b326c43464de08882717bf42d540c668cc377619604720facf348c58f9d4da2ecf7957f5ddb78dc8c7f30b8dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5c4323363a16f47fdb791a259718ab89

SHA1
12be20e4ffc7ea92a3ab93bf0a1f34672c5d97e7

SHA256
afd22a58a54113bc78110b12f77bfbb02bb3db9fc90545e2672697f1541c488c

SHA512
fa74e527588924282fba3d7aa4ce326bfda245fd44569f860c4929b10963b9808d07cb3f43fd91a484d6a3f5326eef4dbb0d65a06667ed394fe9575943ba9cbe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
39d0eadbd491af5f2e6521c7c5af4687

SHA1
b809b28e854e81b5ff85b9c6f76f039fed75e18d

SHA256
9dc505f77a4ef0d0853b7b2015330ac50bb7d5a9682e1b0a0bf77751103cd3e0

SHA512
6bfc20c20d7de945e57f33653a28aa30c82dc4c931b009366670cbf4ca5f8eb3176b7bac53c0216df4e970bd2c945a29085b6ece8b500879b97a4c23d31249e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e4b0a6f67b8550c1d2892a7eb4c639e1

SHA1
4ff902272e79f008a78a758fe04528a78464bb19

SHA256
e36375eacc93c648322a72e3059573fd57f4741a4fd70f8bd80ddd4772895786

SHA512
29dffbaa6eee4f232a5f3868278736072207a295dda3d05f206815783509b8d66dde891d1e063b71933ab5bd50191f266b9aa2e04606d9226aa8e4088a222774

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b756babef1a2dac787d4f7e39c38d062

SHA1
cbfbf14de03fa5f608739a5dd77d437ad05a8ba5

SHA256
a7597beb1307df03d9d3cb86e2d108a1afcfba4c3a789db10c4966dbefca069e

SHA512
299d7c97f1ccaa159f9c0ba656d22b6165c310cbb3b3d4d744006aa0cedc431eac92115c413b9f1153b9b087dc2b152a66e3c93bbc5eb23f94f5412b5f215372

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
7ab5ef94d7477be384db417d992c611e

SHA1
73047d53b5882b07763eb4b03f7a9400e90dd80d

SHA256
a464079951c5de2c6c92c8dfa4746c3bffc99e4576cdfdd257587e085c5785de

SHA512
748ae5c96931f837b149621398aa90f41acf8fb001a334d13431efc719e1e785c4f3aadbda39c9b09661a5cd1a51ba85d8d57edd231e415c21bc35e80394def4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
399199a3bf846fd89d6fb695734912b8

SHA1
a5cda70afb693b594d70e68c7202f6cba5c6872d

SHA256
d2c76dd276255efe218fed3c7c1fe502274dc8289656540a319ff4177e6c99ff

SHA512
d4c857d2f38b9ffbf82a3beaed0ac05e15d079316121883e1702c8774c27be2c34eb7c28474aeb35bdba70f3d4bb0e667c8f639bded696bb04e90a101a400623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a855050901a9367bd523790a6cdde408

SHA1
1b629ac34cc7866ff6853f7e635b2ed5d328586f

SHA256
84b62a6ccecafd1c50e53fdee426ffd1e6a3963768fab2f460a2ea834503a4b5

SHA512
a9defbd6b249986dd0a66b2ce1243d3be087bf2b2ecb39f1acf878a34bc9ff0b1704a98cfe7f9c12f2e2b267f7f7a3f5d85714fa3784e1d35a3e075042d0084b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c90d13ba806b1db90503d7e99824a3aa

SHA1
05cb7add85d31d97be4fcf8208980fbf1f7c965a

SHA256
a9e467cc9ca0cb5ac53a3d3aee808859b72f0a792a238bd0a0a07f1de127e785

SHA512
4b3fb9cdf6ae5f0eba3a5fd80ba96bfe4400dbb9b75aa2f35dd9d7a2dc95cafdac80265f63ee5380eac23c63ad7b2538757f8d4f840f0d69a85fae8b5c84ae94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f0cba7d59acae21603ce31ed66dd60f5

SHA1
68dc0c59f933092a30df55eb6188fc29509c5642

SHA256
94cdc84e188111164c4f5d06e5d08c484ad57a58a9e61e8e3083e3384bef7016

SHA512
7902d2cedf52fe3585123cfd92814d82574d40c00f4a3dad03d43016cd09185d681799e3a815d55e71cb7ffd0c479723e8de4161c87cf844b25df8d8d04b9d02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
da4d9d93c879453d37614e8ddc5cb9e9

SHA1
17408c9397b955ce6df1e554f2d15f087b39ecdc

SHA256
621d5d21a1f4f877b354188324187bb77a29798e593998c22ac0683e62685508

SHA512
8fb671658b49d53d295f7bda5ec86229748b1a64ff42abfd07b6c9bdaa936c30acea417634bd475c8782d691ad017ee2a216086568731d7ea3f670ca769c0d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
49a8502010eb63f75559a55ce8b013d6

SHA1
2cc9c878eacc9c7a33aeb3dd7f6d1b788dda3ff7

SHA256
fe597be69125ce3a0b8e2d5c3aad09144f515fc5f2c5906cefc7365a911ea06a

SHA512
0a76e96b322952e3fe692636aed3faf5df4c39c1411e040b25ce713c3f2f9f149bfc1e6657deba6b9f478f1887c542d6c9b7dbe5141cf1c3f0dd95949d7b89d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2b8417e301134e765379a64e481d7f42

SHA1
076b38cad165093971b2b4aa662f89c7887f666c

SHA256
c93d1fffc19ed490f5e6ede6dc16d594dd5db4d6c5ed4411789928afdca5060a

SHA512
49ad1324ddb62e59bd9bae2469cc61f3a698b2c79d7d17ad3d527c19718bf50e50bf407141b7873f02accc560ee283e9ac28433efab871086fd90830f4df4a21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
587c5c6ca42378bb2bb4f428f57ae256

SHA1
3a82d6f591e9d6064092866d332e77a571ef7929

SHA256
c097d373436e42cf0d056df8e83fe891f9e8615fb88d56caf1997549f1054d48

SHA512
20b596c61dfdff980d6c0e553c86b3e78eebf782a11e80f8213f62f8a2ed22dc320e33971fa313afdeeb830eee253cafc65ae47d9fee1abf15a0e19a001e3439

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a1b9fd425462e8c2feec98b31f23de90

SHA1
3eefe2934fa8d1a01eb8b4d552b7da83b01f8960

SHA256
5689e98bdce870c8bbaac97894298d45ba2511890ef302dcbef27898547010ae

SHA512
252aa5e73fcf9efe3510229c94559574cce440c3456d495a310bde43d189b04f80a8ca6a681a3fcf2bf8884882f47b7bfdb0577a4f1f5dd69c7679b7780a1933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4f0e8c62477138febe2957443633328b

SHA1
bd0394676b75b235fb0b90f46447c78d3821b9fd

SHA256
04cb7d02b8689031ca09bdec53696078a3a1e21d882a4142c7ee65dba1beabaf

SHA512
d4aa93a4f5cbfb168d3fa980ef8d1e0a344c95d2c6833bd0bfcc91b3247f503573ff118bd4ece6a729841e60bcb5860a569cb6a94692ccb5e654a3cf5ac524b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
663af345413c3b0e0d1865b9db50e255

SHA1
e4140bb9d448048ecc44719dc23c5ba041f8e80f

SHA256
2a019feef8a12248da7f3b78f4d6da6a477f3c581ce611bf48dfdbb88adb5984

SHA512
289d25bd94d9a267901a8b01b9e503ebfff7b4c3ac52fd7688dec917456b9bb2c3baa968c616e262e1aba1ea361a50cced114d0af475e6d223ae78241c211143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e5d0af86cf2155f4c8c7ad98dc427c3b

SHA1
9088ce2bac01e113b34bc7de7557707c4b35a141

SHA256
faf29ff05c7b8f444a7daa9775d21188393735ddf5d1beb1d8a3bed7796bd96f

SHA512
ff46a5c43efef75caae586410c7d5ce747dcb4679c3cebb7b979174cf992af207c516fb874aca5a56c3f524d09e16c2547132926d5f983251d6c1aa8823742e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f5205e4440b0743ae893bb7136191d07

SHA1
181fa75106f1dc9822b8d3b874de602726aa2856

SHA256
5555a95ba8062c1020d3e4513e5b4eb0c59e57693a23d10e89ce3eebf92b1fdf

SHA512
17d255b04345451df2b6ace2655be2e0ee8aea3f9137affd66ddf73c396dcd94af7a01dff7a3b6d9bd0d28867883638b0b94f0a341b59d00c985fc3e7884d5f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8eb9db4f48db058071f775e13cc29317

SHA1
fc11f42115180e3c54163fae7127175188dc911b

SHA256
959d49d36a00b9a0b401015312c6c1f0f2dd3682e1a6b977daf6f42709ff19a6

SHA512
3ba99eeb4083012505f3e48f5701b3730aa151590cd66bf104f620c995f85972335af961914f9d06651770e60738d265e4206829142e22d6864611d681061e07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b869b57cf46db1022d0b16dbb319a892

SHA1
79965a6d47d4d74f1f8f50819c9a7fec22d57a9a

SHA256
b6579c0b3c449650e0d62d6808529be9309d7fce8459e6401102c681b2df264f

SHA512
1c7e3d063d93dde3690199e8b440d0341ee76e08340261b4e26f047aec83d8c7adf2b6be5f1da5f62e2b9c3933aec6578d308e6bc9d6eee083fe6d2dea1eb87d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
fe4b52d4746a367df549ac60e34a2c80

SHA1
968b6ceba4e1a378a93d3e1001508de473ff77e6

SHA256
84ffbfc50fe0a97d8fed7949eb3125e085208753cfe3f8de4b952ea03d2b7280

SHA512
832d643f66e32fb09ee65b7a9d340e8696333611f3f48894e46ce700425e3c9d02ee3a43fb4acf007ad594a3456e6f9c71b98de81cda60b5f7c8249b059acf13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8da785b9893dbdc309fe4b34935a4fec

SHA1
4136de52e109e3b728a1bdf227bd0f14a94e0324

SHA256
a2a9252143b99f1f9a8c249ee31934df4f5786863d294f86da1d302b73ff5651

SHA512
0182bf7b029177d8d17e7a091647f3dee2e19caeead83e20aac8c63c688894704a897eb81248f043c49baca7a2de2b1294960c4ae45093c217c16f87c5d9df15

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f61d773dd9b9192225dd12b01631f04f

SHA1
07ffbf9c2f4c277bdcffd016d8c4713eee5b5785

SHA256
b446914288f61628fa1e84125a7cec1fb357c7d7750b327d06674a547625f41a

SHA512
c0970f1d30e6bf4a8418aba67a9e60e98419c5b2415f11e3c108cf33a864bd23cc3a0fc8bf43902916dcdc2ca4c3f1446be4638dc7f7235cd2b4c0d74f64881f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4eab8f4a0c1ebd65668afbc6b9f7bcd9

SHA1
367a6a659bfa066fa2253f1079f5fa29c97e2a00

SHA256
0cd099eb17914510cbb94c841b576359a695235eec12059d9d5273d77895f491

SHA512
0bcea2be68f85caeae8b72b05ff95f554e8e565fee05423edc1c31a44afff47de6aaf064050c14b5e393d43466af4d57662dc32507c366b9380ed70b1bc2f6b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
68f01d7f38df362d3c746b6b3f094b97

SHA1
5ed4e2424d745f9eff60d2b71470eb0069be45bc

SHA256
74c129862bd4c6d368bf3f5829c9617529174d2228e5882ca0d6f766177842e7

SHA512
ddba13b36465eccd2d0bc33ee09e24a10eeadb4bfbee24ca5297e3b01c977071e52d7cc288a6ddac701adbd10be9cc3d7aa70b74d02e58497f85e4b1f6b92577

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b17e4a03d1190662f33e138b718ede31

SHA1
40ffea0e09daa79f82a2bdf3d9b787199931509d

SHA256
fe0bd4022930e0556c9806519a8eb96ecc8ccdd36c4222797970d47601f7825a

SHA512
730879779636abf88a39c8d3b96514bc32f55aa4a7b1c5549c6b3aed01696053b15351c3b55cd3274e9255425591af0fc4d09c6e6cf2e82d6e37cdd141ee91a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2b388dc28a4fc9fd2b74722e0e9eab40

SHA1
f0bc4ed530b25fa118759e38cd665fdac98d2b9a

SHA256
996519f04dfd30998172d2189714887746157308f68bbe229e60f5fce2e1e0a3

SHA512
020be479572d40ffc58b6d207f9cfef00dba96d9ba8fcbc75c902255421fc6e43957fefb1e6d057ef5f68da495933358934f50d7375b7c49c7b64bf344954108

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c23a14bda4d7936c78aebd70aa4a5d24

SHA1
f5e47833f264181d8c8011b274fc427ec04e37ce

SHA256
ac1fb65b166e88601e36e4648f2bf6796a2f59e1c2d72024885d491f4f011c94

SHA512
b2d78629198ed561ec8dc8023f4f1f0cf79e9e9055e34f12ca7a05e0d6bb0b8cd32271009f3dba69309d470ba0d432014c19ce6d5a0a2b16e42dd9c685a123f5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e77c4334280ac1c64522b983eba6d145

SHA1
271907d9e11ca6b8832afc6d576a4e6b563be6fe

SHA256
8aebe6d31f4b0f43bed2604e85b360c7d5cda2ab4f4b57e6b5cb679d6d585741

SHA512
d1aa4005eb8b654e7f5cfd4e7403cad80e5eeb5eb180dc52c9e7caa0841427632a2b86e7b78a989936567e476c99f02cce880a91bac63e0544f828542df57005

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fe15a40fce194f5dd61499cc855233ea

SHA1
c17431667026d0b682ddf194a16f8523deab0476

SHA256
c38a3a3bf6dad2f667b0e5970aad5d1ce947bdd9ece97d4ca1891b6376c7818c

SHA512
ed9ad2b5e06f2173f81e4e1105020e058b87b36417743241a14935a8a30ad2e296a2cd2df931962080a9f59ef657feafd3878ca1a7ab450113c0e6cac34a76f7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7cd6a7dbe94252fcdcf47ef3b0dfa93b

SHA1
c60a444bf88f6f5d67ed333bdea2985a834415f7

SHA256
9831ae2e72b41f11eb1e5417841430d7f2fb0e0511653ab55d1b986e75bb8d87

SHA512
47f620f1e7b23e12faa025ac11c4e759105427808eeea393b99fe6358decb09337d1d164f184222fae2b862ea4a2c886e600a7e9c19c449379c4c85ddeebbf8d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b4771ee717da48e498747587f2c4c3a4

SHA1
f62a886deb56f31e236c2c8d97cf4e888dd1802f

SHA256
6e52c79d10d065303df56223bb753361f0bcf7405892eb1d87795a2097a89edf

SHA512
bdb2ae82b36d82b490696cf57cc6a826b49c53fe57beb5160a6e124be4465a7a42d3434987b6518f89972f16c448fde5715a3fa1ae2ea30b0ff1060e5f724a3a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7b0feecc4abb54b7056c9e50f550e7e5

SHA1
39523044667e9a761876943c4775045b8dfc8a62

SHA256
2561bf93d6490cb7abd46508ae91c915cb0169846923a7189cfeceeef8280f8e

SHA512
29f42b238096eda627e5d22a4ae3b290a53d1354471af44244f15d7eb24ba2b8109e66ea129f3bc63e2c1e5ebeec62e29ff259723fc3521e044223ab03a5a1b2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
71f63b6626db9f363d59fe71779578f2

SHA1
ebd1da364f4484056eb271941836d7d684c4512a

SHA256
844c40e99d4eed3978d0cb2552311c6113eff5cc2547c651243816d71ed3e3db

SHA512
2da651f1f13e693315b39dfe5710a13512cf1dea45de2ffc7526a99ee0bceb42c99d5a1764e68e2ab983379fe2696fb7562dc76ba508920e1080f65ac8b687e6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
26f6fb9e24ce1624d860769bd6cdf576

SHA1
8b306a2e84e159590d3f4414ffb88904f5d9ff22

SHA256
5355f350c28a0b9bd1169572ae04053b2a12b457b3330db6d566ba4884fc1ec4

SHA512
3be128622d586c6f105654b4b9a13e51adb4dddaf10193fbbae6cfb5c39731de539dbd70c7a3076467ee4355b537425ce49aa8089f2991c78355f65f65e59b76

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dfa48fa3fe0c57a5d87f544c5585e26c

SHA1
d242be38227d5ac1989046b850242183bf16576f

SHA256
3e187eeb1789a54585bc1f62034d31daa17a4b4f0428514af6f8964eeb183b0e

SHA512
39105d912b988a7187abf5b6ab46b26cb93bee2613b1f1b3d52d1df0c36608d677ff17ec7d486f0a15ddb932d55e607125fc0004a9a17c6d4c24bd70ff9d6485

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ebfd23ffb42eec4046145182bb59bb79

SHA1
6725a3dd00dd2a8bf0e8d1a537f136091e189d99

SHA256
64269831c6f575a024187cbf9ef56b762852511534748d12ff369eb58ea914fa

SHA512
3c61b7667c0269242cb51929617a0f74b1624e5d00b2f09c05dd93f26596c1918cdb4b9796d6cb0a742cf3d6a03a0d2b56327d1e0c65c6fe9a0fcc016b87f6cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b9bf5c863be227cb84e5a8f4be7261b6

SHA1
2bce9c097e2183c53f7ff23879e68f8164cb4b04

SHA256
4f5321a223cc5b6e57ad6d3bc3ad6e09438d488adacd54740d24bdaea17c0e16

SHA512
d75082aca4d3064bae80ab313ec40b55f48e4042dc87e13cd398c4f1a53c0294ab8ee03d51e4bcf27ab754ab6c6130be83d749c4f32b64f7df5fecfddf4b39c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
016c0d709b1faaa30cf91e717ff6994d

SHA1
b1ecb55e4baaa6ce87839be5d62ad9018088e912

SHA256
d9277da5ba35f75a9e8c8149b42cc6a0c2bd0d18969ee00dbfb1af88b07631b3

SHA512
485c19ac612439917e5285614423c0035857cfe341cbea7d511ca06c681a005c1cbfc0f1aedfc085f906205429450eded691460d4d99b4b9ab596c93240a00ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5514b04a4bf062830b4a44667f0af1d1

SHA1
2bbd7e180351fe057591700522be58a718df8aa8

SHA256
cfaf06d91aac483f97e9d85637371dc66b5dfe39d3b4d70038075030082e9a89

SHA512
54a7400aed09662d89dbe19aa4313f7b4d77cfdacf88c33332e06dafa1122c282040849b672b5d06a0b81d8b7a3a12643ab1e246a912ce51c89e9dcec5073663

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a796c77b9a05715eb844308d091d0b0f

SHA1
77aee94ee77a502ca423742d5f38c88a4fda6481

SHA256
87b13281527636ab8033f2846432e83ff0f2058ec909778421b9819e3aa6ccb4

SHA512
ecfc2e27b50ba4c6ec9da1dbd89f00b85b1573c0bb0fe5b6267a70c309a0e3443a9a9e9577fa7c4deac44c411eebc3245b2950581f97a30a52474ac306e7addd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1b3b491d2550e76972828aa596127347

SHA1
380d3670d709254de4e791668338e20c4af6025f

SHA256
0ff422efc913513781850f9179e4fda996eca1346cc456884d463d611de58048

SHA512
cc2edcda79e8b99305f85a5633137dab860cfe979bc6c17c93cf6b7c4c55c83a9ec61b9313746add926c50b42a5328db4465c113cf8e4d1449a272ad7939705e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0addfaa39a9ee01ee24da35ea8b0b45b

SHA1
25e2103f0396ca4d39b40847bdadc82b20e888bb

SHA256
b6dda0a689439ba555913d71df93643161c251c85b90f535c68a5754af400019

SHA512
5d65637a4ed70785ae8905b4dd55a3f82822340a364f18b997cb3f5ed3aa6071ef2a9d5403d8eceb30c277fef0f9d247e4ed5cf08d9ce5cec67a54a124472a22

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e4ac198a69ad26830c668a86f2db408c

SHA1
5a9c3d1fc2e9321034a1d0a97f47e5ba81c9f610

SHA256
6774b0849724b2f2cca071017df3b17014519624f7dbb716cdd42e7db52bae1b

SHA512
0960a9034b5ffb95a8f5b54cf4c314e0300e6f309d6470cae178f37a1df4030cef0f98cb168cdb91b363a7d70b5251194a96eee12f598572264d7fb99b787cd3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c246cdf498b53c41213be92993b8a8bc

SHA1
902526e4f77dc7a0fff76a96389769d8165ce270

SHA256
d198d3d526f431ddd6d71a49a8bc466b072943523a6588bf853b585ae2753153

SHA512
3c972a28dbc7b5be69e3036495ffe09efcbf653bf65bf4ad57237e628d13e1fbf4b5ead35a481347cdcba12899f031ae4adc57eb2d57a381819130f30918e80f

Download Submit
memory/1340-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1340-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1404-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1404-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1404-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1404-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1748-611-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1748-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2132-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2132-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-470-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2168-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2168-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2396-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2396-59-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2396-53-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2396-180-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2548-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2548-260-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2912-50-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2912-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-39-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2912-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-47-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2932-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2932-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3076-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3076-616-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3152-82-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3152-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3152-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3152-76-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3152-86-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3196-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3196-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3312-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3312-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3748-7-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/3748-90-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3748-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3748-6-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/3748-1-0x0000000000B60000-0x0000000000BC6000-memory.dmp

Filesize
408KB

Download
memory/3804-606-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3804-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4212-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4212-589-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4220-218-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4220-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4220-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4392-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4392-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4392-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4392-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4392-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4560-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4560-610-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4940-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4940-248-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5016-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5016-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5020-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5020-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5028-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5028-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5028-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5028-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download