a9e4bd3153dc8486b8cf0bbfaaca4c05e5fa5cb7907e4e8483f54fa0610b5a85

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Size

1.6MB
MD5

cad021f345400c122e19931a7dc3cad0
SHA1

7a06636fda874780f6ad16182f2c975b2fbfa95c
SHA256

a9e4bd3153dc8486b8cf0bbfaaca4c05e5fa5cb7907e4e8483f54fa0610b5a85
SHA512

bf1a3b7ac973b59aa876a6d6fc5776422ed42ddde5bd0347c38e80e2701e56195822584e5d4148bba1cd98039191842e14791f670818066efd573a2c0ace8dba
SSDEEP

12288:WtOw6Baplns7QfMrqPgQN4yBITnMAzZZTyd7zaVgP/u:o6BpQfbnaTbz7Tc7/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4016	alg.exe
1052	DiagnosticsHub.StandardCollector.Service.exe
540	fxssvc.exe
3424	elevation_service.exe
3232	elevation_service.exe
1152	maintenanceservice.exe
3044	msdtc.exe
2168	OSE.EXE
3412	PerceptionSimulationService.exe
2156	perfhost.exe
4712	locator.exe
4456	SensorDataService.exe
4576	snmptrap.exe
4804	spectrum.exe
2724	ssh-agent.exe
1996	TieringEngineService.exe
2204	AgentService.exe
3284	vds.exe
3168	vssvc.exe
4964	wbengine.exe
2720	WmiApSrv.exe
4444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\506c2af2d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091f31d489999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f39e6489999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078921b489999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027e10a489999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf4dda489999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a21b06489999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cfeea489999da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005928b4489999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe

pid	process
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeAuditPrivilege	540	fxssvc.exe
Token: SeRestorePrivilege	1996	TieringEngineService.exe
Token: SeManageVolumePrivilege	1996	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2204	AgentService.exe
Token: SeBackupPrivilege	3168	vssvc.exe
Token: SeRestorePrivilege	3168	vssvc.exe
Token: SeAuditPrivilege	3168	vssvc.exe
Token: SeBackupPrivilege	4964	wbengine.exe
Token: SeRestorePrivilege	4964	wbengine.exe
Token: SeSecurityPrivilege	4964	wbengine.exe
Token: 33	4444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4444	SearchIndexer.exe
Token: SeDebugPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeDebugPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeDebugPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeDebugPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeDebugPrivilege	3380	2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
Token: SeDebugPrivilege	4016	alg.exe
Token: SeDebugPrivilege	4016	alg.exe
Token: SeDebugPrivilege	4016	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4444 wrote to memory of 2412	4444	SearchIndexer.exe	SearchProtocolHost.exe
PID 4444 wrote to memory of 2412	4444	SearchIndexer.exe	SearchProtocolHost.exe
PID 4444 wrote to memory of 3152	4444	SearchIndexer.exe	SearchFilterHost.exe
PID 4444 wrote to memory of 3152	4444	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_cad021f345400c122e19931a7dc3cad0_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3336

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2412

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
693f8e8ac1a01bd8a3c63a93cbaa05b5

SHA1
84e48fe2ca3f7b910b45a5d1dc10d2b63eafa21e

SHA256
e84cc772b6d2191bf953ee998814398fccf0bcacf0670b0ed53230deaf4a91e2

SHA512
a06588c83a513acba0e18dc0660b569526cfa965798c165eee3dbe1476bfb37262585dcb068d0e267d1957e0140f7589bd97d882c5f06453992cd9746bd208d4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
1949c85d28bbfe6e02898638a815ee8f

SHA1
4e487a4be025228e96b68908a7b6b1ce4961e046

SHA256
fe75dd79b06f84c159677a06ff25307b2b525922b8edb0ec0e267250d79976f6

SHA512
186513ad4e6723af0ea97b138326bcb1c6c3230e1c611c695f39e88dcbe2954a5bd0e4bdab68691907b2ae3655a29a2a79c9a918a3518373eacafccd2f38c9f7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
09bd030153b5c1b71cd4e77883b6564f

SHA1
722ef15a772d790b3d9ff1337f2e12abcd27bcba

SHA256
8e1b55e9c8fe0d07a288a4213128988b8021d513df1f866e3e2c929a1d7dd30d

SHA512
a26497a28b799dc09348810aac8408d03ffc015ea2b83477d918171b4acbe0dfef38c4db089647f9798bc8aef7f26142aa343be608c16adeea1659cf23e5b545

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0e60b7918127088edf34719f936ca743

SHA1
ebe70975b1c82d8682a8b5c4eb4a8f6ea86e2ffa

SHA256
b233439250448e4d74dd53e928fa6014922f354def8e7354d3cf937cea9abf22

SHA512
d1aae842497467c19f902039e71b6ebb97dec0b4b0e2d2c55276221e323f61fdaa97c4206d32effdfa0b1f58e0226e68d0c0dda66d2c55256348129a1a26a39b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f5b4de5afb9bf1e0b7a3500667fe516e

SHA1
3c1cc112da03ed1a15496aa64209f571a6d65bf9

SHA256
5c83ac32ef40bddb770e6ee09361c976d1a61c9858e2aace1928e4e2ca613c7f

SHA512
4f91c87e20d5d150f7517e9320e6a947b2d7a3ab6587bb0272ea16ca057d058cdab8823458f9c1babd6fcdaf988fba34360cd1dba85b567796f93306391591da

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
407627bc3e5a7ab53765642630f21085

SHA1
fa049549798e7e027f1d31e8054ffc6fb33e042a

SHA256
fb342dcf457e2a5a1c9aed0d8af94d0adc5f30fc8c8e01769383b99802b2ce05

SHA512
342b0950fd7fa4738123d2fef7b5697af8126e5ab28348225f0c737530669a90776869d7da6fd63e1e641d0bc1362ce66371fa977924a9a687d6dce407b93ba8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
e6c3b86435aae899f85b8a3f54711d68

SHA1
07341ab30233a59f1378e5c54e986b914811c9cc

SHA256
6a82c2912288ca33294956a650008790be22b2b56c46a85875083bc930081890

SHA512
02facd438b4ecd86898666301486ea14e284ca4b5d6639400c3d84dec8457b19bfd7754ea44729e835cd4a963039e19babaa5940afda3b7b2c45cb23525c7db6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
93952abb492c3ee25e552bf703082e2f

SHA1
58ae274044eb5d9817721b0a806fbfa6fcfdfb0c

SHA256
72e3b53d8f77fab4f80edf704b1964d6f6fd4ca78353544d4318d7ce536251a1

SHA512
028f76403dbc30f7634500d44c3a00a53410a0b87a11a0e8b677901941a63a8780bada7722a09d244fab7eca32aac2aea22e28d961423d21af44a452abcd2f57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
b5ced20a80fdcd4e11cc5ff0ffdd89e1

SHA1
8fb5428410016e1d0b3018dd8aa397f8052a5018

SHA256
84e4e98b5734900e2906bb4ddac1ff5a72163da7e0714e2f0c23204900b31bbb

SHA512
7da2cfde1f3920117a1c63b071f5883a1e7963a6bfd43108f6ce62ee38dd134e7f8aa2cf13207cb5c759ebf187c542c0857c5bc16cbef66c5414cde602995a3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b42ac8f40d6afe80e911b11a7e8aa7ab

SHA1
958f157b5f311f52966e0498dca250b449b33e6e

SHA256
f1fe4ce990cb15ff1132bf4ca11c3e0b00b70f0274668fb5cd091d5ee6d7550a

SHA512
ceb1dfa297d75ace0f5b74430e86d864272995afb48f656862cfe58e5bb09326461517c9be73bba55d13cfb51a18ec0ceeda3879997118dd70643daba07d37cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
631024f260601b164132106faff35f79

SHA1
88436aa7a0801dff59610bbe77116a8972d069bb

SHA256
455e097a8f254dc1f6ee4b935dcbfb3af725ccb79840315f370457ceeb291b1d

SHA512
7848063827c162f84e8b5d71b1529ca83b35f30c100355583677937cffc866275076048d2c4c40e8dcf125640725b02a22cb62d28fbea1c940275d04cbc8fdac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
92ce8e05aacc7de9f1d73b8590ff876f

SHA1
361351de048ba060fa236e1fff6b98f5820b9f45

SHA256
8aad619cf40d7157e37382016e1cfb5083418335ac960acba848b4f7710b163e

SHA512
673531f19ff0b9217c2f154a6ef81c9a69a11a920a879a25e0d09c202cfbee0ee76c4e502f8fac6f728cad3027dd4178e47dd07e651aa311b8465e0ddc427ff5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
8c3ae6b13be609545dd79e10aa2a8301

SHA1
baaaff5590e38eac882a7263f76c04e4d55bdfc0

SHA256
7481a4744229f687807c70b570f71449b8669c6732f65cdefdf1720567bd3f69

SHA512
cac1bf6e90649d812ccbce9d69ace07ea247bff5324e35f6e6614677b373c0efb0fbcb577dfee063635f214b481edf22ef360446ba8278ee46fff54f3a6a6573

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
350bc503191a0fadb50bb6fbb135dce3

SHA1
701ec121c8f19d9ad59556194aef47cedc033e54

SHA256
8adb3bbcc58961b7ca3fa30d48daac8c2fb02da850b51cfe436b46dc768b9455

SHA512
31bc42600a7d8c0d1f2f2090d45c2a9d15809c6e0090bd265924251ce0d50997c09dec6919f2f537215c2d894c338354bffc3f55f31e90261691481e8915fe68

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a6e343c0eb2e84cf07c2cbce063eab93

SHA1
81984ffb591e62688a0bf6af08d9e7d48ccc73b7

SHA256
b48e10d0160818d92340ac75a4741908dacc2e49784b912b0c05ba7af36fb3c7

SHA512
ba326333d49c27d28652bea611c4733e4e9338536842a821e5c413e95731c3053f8ae374ef04544fc13aeaa7e71335a7333d54ded91354f1112c00d31a1bf72b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
fa66d4080bccfc5bf5d6a107628097ff

SHA1
1617df7c36a3998f2d7b0c8af492923837d34d92

SHA256
c89c258140915c5e6df4063116951d4a9e888760d7e6d26ffd51c7569d405ecb

SHA512
aa0911248afab53d40d411bcea9d887a237ab952fbc02dd5e0701ffcb3aea355ebda7ddf1f0cc585837ec05284e14c8ad0c2ba296121d28df18d350810d08eaf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
b4b00eecfa50cd139712f13143f98dfb

SHA1
78443cebe544da014705034b5920ccc365cf0cbe

SHA256
c35da0015f4255d9dbb6cdbde33bddc9af80ace2e72389e7b48aa7c3d26c892e

SHA512
8f9e087941531bfb5c9bf23d8b64f4abc731bc33fab25647e7e372682728b116a3a5521939a147a100d74e225b801ec055011c4f57c1265b62492de9b65594a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
17bd8ab49916928c9af4bf647a66bb59

SHA1
ab02dc6bb5dd1f29d79c9804ccf7e90dea0bb49b

SHA256
894d848ef3fa6602703c0fcc61cd059df06f7637da7f7909940cfa47c38ab0fb

SHA512
dbe02bc100edf5bd49e31d954516e214b08cad176a108c358aea525bf5ae8bd5e4f9f39334e5e7fe7f28bd7da5e9b1bb5f639dbf90b482d456b53ce229bdf4d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a6708af07ea10997c496bcf184678f3d

SHA1
200da72b77539bbed9e3ddc5785ab6b3700797fc

SHA256
0502c404a8151096bb4f723beab723a314cdfd198630378433531ccbf3479040

SHA512
7d6f787105cd84c8270578c16fc6d18d962a6a94635e6954689e521a2063fefde518b734e6f8a144271173817df64e9cb0974ccceacea14d4086bdd99c561009

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1c172f7d5a4497f6194e32a1287c39d6

SHA1
e8bf890055003af78281902eb66d16495bcc9bca

SHA256
dcbad034a9a9bf4e8ec2b07a26a167fb26e20d5f946562605dbac3b9e00eaf23

SHA512
f1abfd60aa907293a5ec4c878ed5dc6aab56825b6b17ebe5d0655cba87fec8facbe7fa34b845e253e263a5d85098b2b25daa09fa350b2a17eea37dbf16e4746a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
8653c24345ca36a268437321706ecb47

SHA1
2f8077e39a4ddc011f2162cb5395a6705541215b

SHA256
fbe83858438eb5590644d16427663b92f082a1eb5510341598725e7f0a870ed4

SHA512
b83c1c1e06343c307a6c291b6b686cdb23d9a2203501b061b24a09f91269fc4acc1165791cf609d0b9fbf2602d5f26d78fd4120a94159c3ddbaaa97954142bc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
a51ba64fd6f8c7f134581935998dee3f

SHA1
20005bf1cebf1b78c969d77db55e67f5189777bc

SHA256
b92efbc1541908cb0446a1215f55b06e1d5e1ac04bbd59b5b2fb5c3d9747dfa0

SHA512
77b4152d24ac04ffdca6a0ac5f9b7706e2607d848af7714de1b94e0e02040c635c480ba3ab925e81567682f2c2912c449f5ca1259631dc9064a12dee408fceda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
87e0a6d336e8f28ffb778434bc8804d3

SHA1
2956b2974aeee90531885d76e0ddf4768fdf6de7

SHA256
b6a1f4806caa0137d062f91373147ac9ba37cfe8bd78e73b8910eccd2173c354

SHA512
a63eefa9b901860a5b6263ae7d6dcebf30d332324e5247236bdd3e882b69e9eaf53785c864a14ead38c43440eed3d605640724ae5755cb86aa8bfef97e52ce22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
f6fad358d2a2ca3002413d03b72cd41b

SHA1
5a01cc2fba6f3a8cdf71e3f5c8d7e96896deae6d

SHA256
3c4f647bccfacf3edc49e2ec98cddcff10f600fd82a84f552da741ae15a02b1a

SHA512
fb60296f58f3ec9eb0e13a95428b2a51008892b3dfcf76d1e503a107b85150dd0ca0b763967b1ecb688178facfae33f6e59656807a375c62ceab4d0a21f95641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
0b8f621930afcbb2ab103827d53d2e86

SHA1
3233bf2f69354cea8d80b7d02fb43e710ef19227

SHA256
ac8a37cf47329e1bb15207712662e1edbe75bcf11c457726b74daf6d3dcf059c

SHA512
d402755eb3564e560427085cb6754860c200e0191d008b92562e3e47d43661dc86d9e564ab1147d547074c6fb00c9b2393233761f2fe120c786f00fc549ccc0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
873d24b3f8714abb9b344b1597d482a1

SHA1
8c2b29167c534c9161e58174d1041a71440a9bee

SHA256
3973d353b23acb554aad3b3ccf79f1c1e3a682102f59301cde6e9b144d2871ae

SHA512
00debccc0957908817553108228219461ca55ae7e21c9ddcdc97ea830905bf5072e26c9454f52e83422a1f654dc5b49cbbd3d085b0f88e444050f9d12ed3e054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
83040d7bc8817b6ae85819b7046ae465

SHA1
707bccd39d4dfb043144e7317fbd912e5e0ae69c

SHA256
a6c955640cae4f5c7941eb3a61adca1a50a89b0305cb48c27f1038a85cbfc130

SHA512
b5c54bd475399fda2d1ac42b4fd28278fee98262d2bfac3bb276f74de6bb73f8d4f6e414d4a888252bcccaba23a4e52ae02cd7c59c32fad4e65f9f2ab735658f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
0c4764f81afa17d92819c2ee860b02e4

SHA1
b3385988c2af6e10b3e312a0014c1d287733670b

SHA256
44ca9a4178cc5fe750df89434751b3c9fdbacd91df3eeb8d4f7a3d21bf471df9

SHA512
af7b77c35611d8d77b64d176b97c1aa5d2d454745f39d93d7738011212e7569e26789a9e05cb5089ad2131c1271fb3c93df0050a0bbffae1b2a48128650f8e21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
30bae2a2be71dbe3a35958fd2b6264d0

SHA1
07dc2aa81617dc541c7025c92553a8192414daf3

SHA256
477a87aa46a849f04e3ceeabe9f1d9affa8860b3c6cdeb0761ee5416fd23691e

SHA512
cd868ab87cf3467c90853fc998889d1bc8d14b03cc297890cf7c56b6639080e16fa470bdcc8bda02126613986027d4257937ce6ca0e46f097f5130412b2907c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
f4abccb0f11d4ee4ce8bf3bccf8b9817

SHA1
cee672748e70e8d046f54dd907b3cae3e8509918

SHA256
69070f61d6edd90996ca0c1c7fcbc4aff383e27a3b6eb9486230c97a7472dccd

SHA512
18426a953de4944e1f354962a2127337ecccf637e487b990ad7aad6a2f5ea06499967461a7c2e4e6066e73c3aca503fd1f73caf49535f557a7509c1214ba423c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
592647d9875a22b4ac65e6603e1d90a0

SHA1
f0e44ba31e9186f39e9a6ca8fd5475b68c259876

SHA256
25fd1696d5e262bffa63fb2b6e8b6a2ace423368fb7fb65dbd6618d8baa1ea90

SHA512
85adfada162d45caab2b6c84f15686d6c985036538d23ba5eef808a15de9b2c822fd68bff78024ef95d110e9ffeba948348284de3beffb308229ec1b4aeb2875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
8f32b35a3d5d05c5a92136f241381b67

SHA1
e51f73ba916cc27f7b658e2d2cf7f0d7407b3810

SHA256
13f6a939bc7ebb4df367044aa4470acdf066f935d472adb3e66d50123c8bb32f

SHA512
dd46a68989e6a3f1a39dfa8a3a51a84643c3eab91a8b39df12a06ac78b440e51fc5d89f7bec8eb72b4f62e5f0e74e0fd29b96bb3ca9820c5f2491a66633efb1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
09a7ca8acd9c24ab54ee94fc1324c899

SHA1
9ad28cde4f0e1b3a55b3af028b1294b2f173af08

SHA256
913cd303e775dccc25d56fa0fcd59471ab8801755cf30354d5c738fba354c9fc

SHA512
f7e0a8ae0c1521b95bcc54c170fd371b84c9cee6fcd587b2c75bfa2012c7cf1f16a48c74d40cfbf1dcd780185da457512f66e3c18c47e2e25e9f5f530eac357a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
b21b010e86c0b4be6f2c4eeb9a1470a1

SHA1
a82b08d48b54f3c5e07ca247ebad31f1f8ec77d6

SHA256
b0ddc266eb4ccb5106bbc18870ce599fe8693e812328009468ebd054079a9bbe

SHA512
6075edeb00e902b6217dc172d03e210eb9c4095333b39b5566b60a3bdc64a2007e552e025e6dfc1882774c26f81fb8dc9f3aaae9f05ff2e86f048480f01e4957

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
52726461f5d25b6e90bcdb4fa696bbc3

SHA1
018f99ee066bcbd1750c51c80c506192e6674896

SHA256
0c40e69943bce6aef4b5e4f4c96f9db619f0f5de993d9f4c47ca436c21f62119

SHA512
976da17aaa1d601310f89911a79dcd0d5e80819bb6303b39ff89009c05f673f073015691a09e1ad1636acf54205d93b7c31599b9ebfba2c5fa655e51a15a9f38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
9127d354a61bd6017b0a87166271497d

SHA1
07723d3dff35e53f2180a0b6340fa27233057409

SHA256
d1eafe02d2b8127fcdd70baa010e110ffdd049173df31d2a66ccf0e832c8d4bf

SHA512
db647c773c9dbd5899748d532a361157cba29c8bbffa6337c8257d21e2491ec1047b0a7a6b16ca32b38941a587bee16887c245d1d480bdd90f85ee22f7da770e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
02df48aa47e7bb9f9c9d54375422854f

SHA1
4f923f8729ca2560bf44de0939929c06fbae37d8

SHA256
33fc6b012e12cfd0de0180a796384d201efc86d203e811110bd91f4899a28de1

SHA512
32302c35afdda81f7243b0462305bd62d36dfa73fc207bea1ceebc19728f485f5ed6dcdffd7826097f35f3b339c1a06fd84cbf861470eda04782dbb3b2dd4f7d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
94fc0e10111364a466fbececa1250c3f

SHA1
47d0f623d8224639ab198f50ff5a00e7734c4443

SHA256
245718754ae6b3d86debb1b343996a6a6e8def29bba118ebc5043adb68557a55

SHA512
8b4d5561cd7ec3fdab742f88fc053e0b58c40e778c1c1831851f9e2d4791fe39fc3c1f57a3b29dd1a7fe2c11edecf631b624103531501d59fec006a07da23495

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
f93d8bc45f20effd36a5551749f47463

SHA1
5ecb26b10982c27363ce860f4dbad82ce7d406c7

SHA256
4acd1376a921bd4e25087a2de9c5de43209cd00b2cc876f7d84297fa1c524f80

SHA512
cf54dae159df40da77b6d377366c97d52d5d8eebe0781b344c25cf00c2c1598b4a23fc85b3a6f478504d7ba2875907bd3f6290e61d97e2e93ddd6aa59b60a1f8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.2MB

MD5
209eaf6a761bf2a8357ffa53d21041f9

SHA1
88bf7781ba4aa234193f1bf23773217994952249

SHA256
5d31550677afdbc7fbda4f9e4d96804dd43e6215ad446213839d5cc6bb78a065

SHA512
8d81d0ae0fea4ec9627ffd581340d9eadc889899fe2b8182f033b81408a4633bd6418e9b0753a10cd4056d4febdf34a3c878457e51a8b5f4683538b0fa0a3f58

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
85f7bb285097404a9b8b2342addc1fe5

SHA1
bba1dd133da1af57ff7ee527e3fbba4e87914f11

SHA256
dbcaad6d141eb6c8c057c57e2c564d7628789df730d7d8bed054f73f71474f53

SHA512
a9f649f82767a5aa1cacab32a14cf3f71a6e59c45fde89c6f94a2840b2e8d148b26e5ec46889fc07912b0a59ba5a2920b0783a05e6fef0115f4aea69704efd45

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
18776beea8990ba33bfea5ab989cb7bf

SHA1
afdfc89e5c52cfeb8331402fe57a1ab0badb3a93

SHA256
05fbf363527b1fefd716fe0fa16448acb3b42d3e3bc324227e0ccffb585bd7f3

SHA512
0a3d91bce00c0f6ae524fdda761b4d3c611170c267c574307e7ebf6aea0cfaa7a720db0e5d6d8c791f60e2e05e9dcec102828a4e44b7471f971a730317af1f7f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
c21672f04d2c96a8038490e6509e0535

SHA1
897918fe7c6f1f8fe854c15fc1160869824798b5

SHA256
75789c831fed5994823220fb3ba5d87b08db9c4fcdf024fea8f151adcb2c4603

SHA512
3aebc55a6898911e54b8a1efc19c39c73b797ced85c13ccad6dfd19d0fbfbf6fbcd6245e97a74a77d67a6f8e30817ce4984fa25f802cf1fbc7a8165170cab648

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
7c44ccdc66556db161f340bd5c5b84c1

SHA1
4f699bf9bcfbbbcf65fcbb99d3c3622e0e900057

SHA256
f30e16586809d019ffbaa37a55a17d61951793f6cbb8c88f041906189fed9448

SHA512
2595469e27183944b1a30f39513eb4f11d2415486d48ab8e78be3272a502c1ab1754003b837a032c587c2bbed659dd7ffa63d03d3088c6b48f0917b8edc98d00

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.1MB

MD5
26c7b5b59d9913d3cfe42789fe6e38b1

SHA1
eb6ea690303913f8e1fb2bd16e76fb2c9bb3843c

SHA256
62f20e9c695b34e8a9c280b60bd8865e8454127cfaa6f49ee89137892e65448d

SHA512
45bff3f2c76d93572cc3af280d52a902a98457da0adf6bee0f1aee9c13c3930bcb654efcceace609112b7738d05eaacf076fb44e1b4ee390e1e7ebfebaefe617

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0636e5b6f68e7b1fd1c8171a627ff06f

SHA1
ffa1fcf549ef3b11e3e5a237cb263091e27ea551

SHA256
02a9adbf0946c5e6cdc4cec08fdb46c6d65165ed619587c5e5d81600007646aa

SHA512
1ce056dcf961e5f3b5c3a6a2569a9e003ae54fcbdf01656dcabbff50db2c3997a423c3329206e88a94edfa66f4aceca16ae42b4cb8d4a358ab44bf13f9489233

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.1MB

MD5
bf71e9e9c7134527cd7827d755bec20c

SHA1
3d87d8c541f3ac419bf9dae493ae232d1a3b1c9a

SHA256
876f873ba8b453ffd05aa1cd171f6e513f7dc8deeab93c01f555f30424bc44c5

SHA512
486c58309dda40a0c8bd3c5b47422c1af56cb815fa63997a9f81148626b33449aed608606d91181f492a52788da4f6c81499ec32d82fe580a75e85b190c2d95f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c7b345a608054862b1d5ff80ec175876

SHA1
6af6b93fe616bcf540dadcf71cd992e43ae86ddc

SHA256
d8eedef919d065e74c992e4d94e87c81bcd1e44790038e95e0051ecc0c3c4374

SHA512
9ca2e358f7572f5c669cfca5ab41de5b1ae911894609dccf023b617b88b02e181a6a9ab137c19f87680e27b9f00e846256e540f984763155754d02ae8eb347c5

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4da01815b6712713ad74cb9d0dd6e419

SHA1
55a6852c7c80a269c4b25fe3f4329d37c1ac7299

SHA256
fee07de53b34a718d2bf1681777f3ae2375d3110cfea1f084c776640ba0a0f48

SHA512
3b31ecbba9b4546849e9ed9486f29df4c6313df9f1f7ae6ac2643aa6280085210e0f0daedf34c88a286a2bd7647c480203f5320ffc6e3b37f8a313e7b44180d6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
bf7dd721410b5f05ad526667c635a4c1

SHA1
600aeb756b501bf4ccb416b57ac074776dc1131f

SHA256
82f5738b7a0590091830aac8731e63b5f32412dc640af9470984c7779a349f73

SHA512
d1595e8e4bf1c0d8b21e0a2c1c9d38b684e25709acba28218c1274cd502a7093ebf1df4c134d9f77816ebbbefa305fde9cddb90af6602782a80ac990c8723ea1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8f71fa9067c3c2624d63e25593317c8e

SHA1
a83be969f19445671149e2a356ea3928660c34ee

SHA256
d9aafd17b237506ebb96e0f6dd31303a062bd15f2917556fc07e60e92560ac54

SHA512
4d538af5efe77055011ebe876f03aecbdcc64feb2a7faec504a04d3056ed4b7d7355ef920ae2b2724dc1c40d98b05f42567bea6e36d4380a876ab5393b5d5176

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
dc53615022c0e0450b57e2462a856ba9

SHA1
09ff3f70b93cc9101b82d48d425f94238fcb850a

SHA256
16ab3f59dc24d26837254ddd745e3b8609f57f58c6402154fee95bf24c30ad7d

SHA512
e4bc53e497bbe34939de5ecbf0096627763860118780da96c126ec533ca7a69538d28c735112499d23708ec8f0dbfa6f78be740e4ef3d74bd970c81ed55f8afd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
a547fc65c25d939da830f59a6bdf9416

SHA1
57a569b95f0861f5f003fd3e2c3242d92817fc9c

SHA256
e1e2a296483a3dc88896662aac37cb9a8536f154cba9ddc1d4b01b0ca67d87d6

SHA512
e132aa630afa2ab76842f4cd6e43c093d85da35758714937305da0463b6aeddcc051be7d5856ff0f5cecb7c485e362f5b6d985edea358605285aa082c67e8e52

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
e1bcf63c5c7611b9598e7d5dc36fd1b2

SHA1
92d6760994716be9b287ee0068369bdab7856e1e

SHA256
0dcb0fb805edb66d2e8d2090dc18e4a7df99eded9ea28c8e417ea5b28d838ff0

SHA512
d744cbbbb3c6f01c9c430021504cd098c174641a96e8f9cf9078ddc90a535f4e45c75b778b22827726204c9645b03d21a5de21475ffe8b11ba0350ae675a52d9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
edd1d013692eadf26a7fda920951d528

SHA1
3adf6e75db2df6436b3f0b8122024a6caf758856

SHA256
3b7959b731558604296536e561f43752ead8aac93e06cb72d231f3a560b58b17

SHA512
fc11905e0c8eaa580d9487db9d4c65b119bc0b8b5b8f3d9c5372b97a383de3fe4eb34df095e59aba1b41df04c04f2be1536de3ceaee13cfa636b922db2393c6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.2MB

MD5
cbb08c1ccb86ba868593f86aa480f5d1

SHA1
0286f370a569ba26c461a51d58b4329f11116d28

SHA256
efe8a11590207998e570f30c321835a4d2d755d558c0d14f3b2e39ef15923274

SHA512
ffdba43d4eb3dadef8e5d78c88f12f9dcb6ee151c808409835be45d67855bbbc2d28e52d4fbdb9cfc96ef84b3e6bdb56fda3662de47888ab3fc0b00f17e1ff81

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
448KB

MD5
d75d597d29863515e43fa9bd2e538e66

SHA1
0e2ef2151b21e9d86e3bf7f42bfc93cd2bba0c3c

SHA256
64d1f7f0d70953065544d58702800af84c9c6e3a4e1f564500017a9b0a1cfef0

SHA512
4a34444358139ef5596a64ff13a26c93b5e95f9445b079dfc7d48bcb3575988475f9c8811baa726d20ab4f7209f7f8e95a592eb928bfb111c4194d6657ae3b7f

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
1.7MB

MD5
9b2f20b33fb2782b295f98a2a7e12427

SHA1
ac035c04330ab1ebe49a53d96c79bf0e0f09274f

SHA256
7402afcd1f46555cf66afda3a0762ae9ba6cf03b40be44ebe52d55e0ce5db34b

SHA512
f5b080a5a3790338c7c3980fef7b9229649863d5173f0592db45064f0d40af15c8a6cfe08f2fc878251750fbb3a1f8e0a0cc4c39c59baf1ee835899aa679dac6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6b93bbadeda78ee26540558c65e9458a

SHA1
dcc56770176faa22eb4348267e7a2f269aa19f8c

SHA256
3a5d28f0cbe89e7602e61c7e574fc78ba54b718dd17c60d27f338ad71e77d7fa

SHA512
bab29e3d916e8a5f4db74f4a19f29bb76fa4d302c3e490b70743c1470dd451da92fa9c7f355e09dea8b4f1a4282f1068b70a7d707a401481a388e7149a058e0a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
f27d874c6b5429ee9ea5017cc2b46535

SHA1
db782fcce13f4d98462d249e08fc7c28b82cd594

SHA256
1e639332f3a05a2578191ffe41799bca91b4d942fbb92c86f904d63d92762ae5

SHA512
cf687af5425bef819f0d7d6d2f030a5ac23e48808971382866025ccefb0c841f6c34dfa53edf49992746a51b55d0cdd79e703769fc16c4ab2d98b09c58bf902b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
08177709ecf0f47ea8288c6f4e1bf337

SHA1
75364e9195c744f259e94f2d2b03ada838ad0e02

SHA256
2edc8732f7975494007415b2d5457edfaa96a1bd3b794cc276c888e2aeeae169

SHA512
70fd01b88db0b1668a36e853bd99a205ca18bbea7266a337beec13adfe7383f88f32b8f4c0763cea577949e45bb4c6ec92034db99495f5b31ec123e72d4a6972

Download Submit
memory/540-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/540-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/540-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/540-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/540-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1052-118-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1052-33-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1052-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1052-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1152-88-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1152-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1152-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1152-84-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1152-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1996-205-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1996-566-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2156-249-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2156-137-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2168-115-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2168-225-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2204-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2204-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2720-572-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2720-270-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2724-562-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2724-188-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3044-210-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3044-92-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3044-91-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3168-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3168-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3232-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3232-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3284-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-567-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3380-6-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/3380-1-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/3380-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3380-72-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3412-125-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3412-237-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3424-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3424-53-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3424-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3424-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4016-114-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4016-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4016-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4016-19-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4444-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4444-573-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4456-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-163-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4576-450-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4712-269-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4712-148-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4804-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4804-555-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4964-571-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4964-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download