6b63af4f69e7ff528edcf37074adaa7a4c622734921a2a3a34b46dab2075a232

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Size

1.3MB
MD5

a8f34549fecb958f659b8a1315eceab9
SHA1

cd1edca1bdb9fa27b59f9f7e0daca1a42badb28d
SHA256

6b63af4f69e7ff528edcf37074adaa7a4c622734921a2a3a34b46dab2075a232
SHA512

8567086e5325672cc212c6277953f3367dce568dcc1c27c81ccf1cc40b5becb44458365b6a494cbe07e64ed9656da04e7e2019b47b07896083a6df02882047fc
SSDEEP

12288:ttOw6Ba1Ma5DzvQouVuOblREIKZcU4aXnLDYM22C+EALcIgsy7Uq:36BaiVuObwcU4aP2vhd7Uq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4436	alg.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
2368	fxssvc.exe
2416	elevation_service.exe
3804	elevation_service.exe
600	maintenanceservice.exe
4140	msdtc.exe
2112	OSE.EXE
1092	PerceptionSimulationService.exe
452	perfhost.exe
4204	locator.exe
3520	SensorDataService.exe
996	snmptrap.exe
1108	spectrum.exe
4640	ssh-agent.exe
2100	TieringEngineService.exe
4664	AgentService.exe
2592	vds.exe
2996	vssvc.exe
2280	wbengine.exe
2860	WmiApSrv.exe
4076	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\900fd7041ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3af508084abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c8e77f84abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb0bee8084abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f51d018184abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055d42d8784abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca70938084abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae00c78184abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000046b697f84abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeAuditPrivilege	2368	fxssvc.exe
Token: SeRestorePrivilege	2100	TieringEngineService.exe
Token: SeManageVolumePrivilege	2100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4664	AgentService.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeBackupPrivilege	2280	wbengine.exe
Token: SeRestorePrivilege	2280	wbengine.exe
Token: SeSecurityPrivilege	2280	wbengine.exe
Token: 33	4076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4076	SearchIndexer.exe
Token: SeDebugPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeDebugPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeDebugPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeDebugPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeDebugPrivilege	240	2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
Token: SeDebugPrivilege	1856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3256	4076	SearchIndexer.exe	109
PID 4076 wrote to memory of 3256	4076	SearchIndexer.exe	109
PID 4076 wrote to memory of 4332	4076	SearchIndexer.exe	110
PID 4076 wrote to memory of 4332	4076	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a8f34549fecb958f659b8a1315eceab9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1108

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4604

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f7f243a64a0a6d30b8ad33fdd1bd1961

SHA1
3bd8086e1e51084f3d0006dd809aec8a91f0c6d2

SHA256
c217696f765c8a8b433137f7e9dc3053473ce2b5b0e44cdd1fe59973f81bb325

SHA512
888330890a007d96ad24834a37667d1f459d1b61910270fed8a41acbfc3274f906556df69483d844b8cfdfb7ca57ada254fd453595289021984c20e5ed1db037

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fe543f237935361e1b8a94be17cb7cc8

SHA1
40f6735c6459d7ef10555015ac9325d04052b9b6

SHA256
4eef07936d5a54302fcda384ef18679e9d0a23dc318f1089cbef3ca808331f37

SHA512
111264865c678eecbcfde34e26bc32b90f5f8397d34edd9cf52071f5e8f4386d1bc4de97e25d09e3aa6411b6e52e6cabd6524b1817aabd1f1e7de70dbd287585

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7897334cc281c9c7d0f16fffcf5d24b7

SHA1
9515f03d63922229f0d35dcb07ad1eaa8315dc7e

SHA256
d91e1dce5d4e43142cf2ba8ecc26257fdd1a78b51dc15e63ce3e080a0a136f00

SHA512
9ad578267031de9b85bc1b5f560c5ce02c5eab7ba73253308e247def97d4d2a23b9e8327204b296ea08aee28af68f3ed591aa46edae459a26a8467f087c53a39

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f3868e9c92bdd3d789f2c001c93766b0

SHA1
2f9564f7a9919867f3e9a19e3a8922d1d7ce31e3

SHA256
c3b45ab1a1a65e55cafb13d1bf51d7bc710a15ced5617ba9a586897bb7c6ce4b

SHA512
b4168aa86e6a1256e126d556ef56beb5a07e6f26c10bc49b1983eb97bb9866acfea836f7e5dffa201b7d6a87ef58302a772d1a0a3cdaee913b06d50b9d756c51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4fdd62e1d113197bff1ad6cdd7e0d5a6

SHA1
bbae5829995903eef44c54feafb12eee27f2d067

SHA256
ae3c6847b6aaa1628e7af61c9b6108fad835dff7199640fb0271b017de170d01

SHA512
b09465c2d1ebb812cc940346a16b2c55591edfb6b1b2c9c404524b82db6cf2db90449346377380c2ea8fa6fa5c0d67d0efca565d3e459b715426a56205d93fa7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5725bb1bd6bb6db3fcc4dda190997b10

SHA1
6309ce587f3f10e17801226014c37439af295377

SHA256
0b149d2949d6c4bdebfa1c6599886c78d117132a9919af1205ffdeb54a65ce55

SHA512
65622c35b9276f1ade24999ec68eab9aa599d747949a5ac1a124239810ab6628760abe00d52d93539e42dd73413de3b046253187a2fe15de83f993f6b978bee8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
45125fc137ad58ab38366cae94ddc4bb

SHA1
4663415a8310d4afa098c1b7df525deec6a4fa54

SHA256
96778f642e95af52802b0df554e64473698b451e9d831ef62fbe551c554ea12c

SHA512
141cc7069fd3c269140b99c079b5f515b3abac5083cc5fa6c27bead788f757c4873f9cbf46269725466c204351937d01e9b6656c942fa3e34cae866cc0d01174

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d5db58f90671d967ca5fa56689bbe838

SHA1
9fe6f1b2f732abcaa21cae9c2c41d27a620c4572

SHA256
1f73d6140e7c33a5ebaee30c80bff867025580a425ac1c064bd5e8bcdc422d99

SHA512
3bf53ce46c56fd3ef5af40c47c379b98adf3d32feb0f3d5ce71a5ae27b9d22bf58f03bbecf460cf5af63d713420a0d61485b73735ed99ebaa301800e84788b9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
38c1c84f76791942f10992de75b92a81

SHA1
005ba523bad69beac73c895215bf6370b87a3169

SHA256
98028be2e64df6d9466eab83d49067f2224f8a7f521cda8d56a76a8157b0f230

SHA512
cc87a27faca106eacf9882cc9e75ab5322eafe0a2818de7a04632bba38857f6d00601c6003b74ed3efb07afedb32f61fb643da5cad02b8807b7a02048d743b12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
43c304bee5a9b77f4f4213faa6c41480

SHA1
d16f82682a7f6c3fec3dad3959fa9c5cda8b8cb5

SHA256
ef1d101c400a26a3a60fdad615dcce81b3289d66bf9d26ff0219a26156d2435f

SHA512
86c12358277149e3ece4efd786714b9fe5e4671a54a0416f03c32bc0f934a3d0b3220ed2ccf6aa53c0d2bbc2229405c1c15abc11be7ca2b375c8283e002bc2ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a5877ac646328ca854fed05add6ea8ed

SHA1
143614ddedafaa36d3df4aefd19c2e354d089181

SHA256
6cf96e43478a4726f2712e6b5fb91de23bce2a8ed1198bcda93fccc3d42567d3

SHA512
489512af1d0c3e938b462a350f4e855098874d6ea9721a647b89a51ae9bf826c6b7107a24d3c269ddfbb5f76fbac04a980345566abdb9a30bb6f2acc4eefe650

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a98345565ec3c350359c4a3cae6a0e7e

SHA1
2bf4932c07724c3bf896d550436f7d3c86895283

SHA256
0517cf604b88b39ca4776071bf1eb9028357a085ed3cfa29e81aea581ecfd706

SHA512
e918c09b8b59fae774dcd4b14303daa3b2538ce04a2567804b5329247f5e565f39caecc9f4c1e021bc343f119ee2763ba976831d82f79b3d683557b3a10d56bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5a958e2ce2335012189555b32b7f3fcb

SHA1
348018514a22709c8b8fd2e74af4a1317fe38a68

SHA256
2197be0d67f44b8a38d0795b9ba44d49f33df33f871d7f98560df5416b821c15

SHA512
49d8c645cf0d1772a66352cf21a52017e37a27814387c9459b8eb693dad9182dd62a86d5079c0a033eb6e81896ddc7af444799d5f988b7db758df0eaf736fba0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8347d8648c9298be7fae29db38ec41d4

SHA1
f63ac0d92717e3f6d55f6075519ceb721554cb3b

SHA256
b8794b89c65a4706857a370af3a8a3b87f0e24a6e445ad80506da1acc1caa975

SHA512
3cb176c9021286cbae34fc3b4117ce5092940304a067365a0dc3c7a736b678a99d4123ae4374dd9a73a0dfbe086d26dea3f930352a11667f488b7e61d46f9120

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4630df836b145fa71f61e49f760874a1

SHA1
2532c7fc0e455d2801271709c3098c00bb5a29ed

SHA256
6baedc3fbad4db1296c3dc0d82ae315330d6ccda1c45f6fe0544c29e6c82da03

SHA512
b671e2c268e6690020eb7294b728f699269368de45f8c2a0c1c3b2119fd2b852b3e608b3a32158936a1a620540cdbb983c0ba05bb1e6606e034559448ac2e959

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2fd62a122a85b6b5f976e4dc08b2aec6

SHA1
4cb31e2ebc665333671f4f122650b0e67843291e

SHA256
0d1672f8cd58634b324958f704b1c0c45ee6dc835908201d0718d29080c2ead8

SHA512
196136f31a06f8ca621156aa4a296797889ebeedce0ccd19cf151a7313a719884f250fde78c96fa8d381fd31f8c247506bb26401fdc688c8f73e9e327816cdf5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0b35ea98531c946b6fa318ecbe22e722

SHA1
296f22a7da67df9beb83e94e97ee87b00138c7e4

SHA256
4fa9ea5b2ef7f0a0a7cba4543b0c04dfc6a6318b1d23e5927f0da8f278745f70

SHA512
8f5f6cc6e2cacc3864ab6b3276833c9c122302d4bbe341421327bbd055fd1118b6f97a509602ba9ee8c9a104750dc1f52d2eb31a828adb59d7735985a52b7201

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c34ea094a58c9cfc7bd63d9e3281a218

SHA1
e7fff7bfc9b6c882945ba8fa7d1b536559a924c1

SHA256
71e696843619a0502fcbbd97383efbe266bcebbcc5f309ee3023482fcec6ded4

SHA512
e745efac21aaeb78ab908796426a7ad32aa45c828938e0edceb5206dc8fd8bc3a093f57a0e67da060de84e31fd1de2e314b480674fd5f8bf381cd315439d6d18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6f5588b7415531015018d0fa2832ad64

SHA1
06559261463c3009b4f72465fe830321a222ef8d

SHA256
8552a7ca9cc9c4e68f3c713ffa0bc57c5aa5e49ad419a8860298a56c5d48f2b2

SHA512
7ff634326c185bfe51955206481f88cec79065fdfc9385d75dd26fe2a015316d3598efd18ba02a8c56260a8daea73aacc0ad82df79f669fd717914656adfb1ff

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0fdea4d2234d72e9ece2432627653976

SHA1
7964d28e16deae6adddd51a85babcc7f1e4406de

SHA256
4d00f436b275ed35bba3bd076fe1f54c47d8c02d88933b21cc47498fb035d4f9

SHA512
c6eeb3e6eda4f93b605d9812062e5d9aa38d1dd7d6659ac44d972ec82b84b3a7a1de0f4cf2d53c226369c7b4ab32947bbdb8de9bed7372c2ad3401a67abd4d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a0df4bc347e1ec8fede0bbf0d6e7d24b

SHA1
9bb5ed4aea1f588d8449d7aa802904aaf63131e6

SHA256
7832465c8d9413984ca57eddffa74f6968efa726c8bf27a927f7fdc47d355811

SHA512
15c2b755e76e65bd49da3eb8bc33914a700e88576c6159374e2298538468b18e055c4e294f6c43b2768e47e32adc77012ec748248d08b643e28cb926a52af9d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
494419df6ecf305723cd2eff8a5cbdfc

SHA1
234c6fa890382004e53b744d3d86b750480d6801

SHA256
b64f343466a278cccaa098a33010c9bcde62a406a3f0e38864cdf33d3308808f

SHA512
830804301ea554d7ce2dd87fe99f9bb68999f1e9aa72beebfd60497abec1e74d0d65a8e4dfdba80132efb7b0b68af51b2a5029de441bf519ddcd06be6325ac28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
208544cd68a1e0e957fc296ed9dd9c46

SHA1
e579ff301343b0a6ffad98c48b566e0f7f21f252

SHA256
7ceaddc8eb60f0f4e409fc22197f35b5ad71ea169e5b7b02a16d46a2ecdf3ee0

SHA512
e771d7e58cbb4eae1be1e879f61806f460c18e4b66e9f5be6f1bb2ecaa420ccd53adf7f5497ad555c5e7f991d04cccb9ba27276e854d3352f4c3c30b6852075a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
32e9c806a4ca8cf0df17f1a11334a6df

SHA1
cd568d41e6515306990ac1e480f45d11bf85b55b

SHA256
0577f2279814d331911750e16343057e8e78df4463ee86b4c2dbd91cc3ecc705

SHA512
1ae222b1cde8c92fa246c4ecfe017f155c26d638631abe1e7141873945c2ad30505e24740b08d86fb496a934b609bc122138cefc154176b5050a3a71b2f13601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
335ac9547d0d36e597c9be74cde524ca

SHA1
760e3f25b52cf4219b351b75c8f14f32b8b6a9ec

SHA256
57299ced9e367224cf9565a074adcaaf3d32fd7b67376dfe10ca55e5f9de3ed7

SHA512
af94b0974744a509adf8a11c6de8f1f2d0d817a661173f8d5617a0daa7b7aa22284b95b28421bac8f97a36a492a3d356e1715d513b71d27730ea425c88378cb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
28f365446a39ce9335c1b3cc29e6d5c3

SHA1
c29c162219a7f9dafa166cb0b3183c773b06af01

SHA256
e2b50004738f7ec5e8d4b6bcba99a4c07baa8cf5abe6eab4fd521db5dd9b368b

SHA512
ee1dd3048fce69badc35953ff68f4db27e7f843fc3c40caa7cf8a8a2a3a5e87d939f98b695467d599497a995c89d03256366dc094f5ec16ef193a91cea9993a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
cb6f438d3009e316dd2d7ae721a9999d

SHA1
4d982a62145b369b4a0a7a138bba5045faf6077c

SHA256
5482c8047026654420dcd3ef3d91d4e48998c937e01dc212e56c3a23c7e34b53

SHA512
7757b1d9ac1e179b1c982294fb4e0281f347a8b9aa956a8c7ea2334b6788ab1b7944ba0483690106756d24f675a71e8c1a08e6f806008e18492a83fa7bde4921

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e75d3a3c62a4794d6ff8f66cc33af587

SHA1
dac9c0363b7fd4490fee928660afbb491f8bc2f7

SHA256
8c1be7c1303f159ae1147d4d987bf984e0aeb0527b774329eb137ba547073b78

SHA512
93661c973e69f613eb44201da75c9b1d0a6615fc96c7c9cbfd1ef8abed32031f6dbd787e2c35abe12481cab8bdc1ce9fd4d7a75f3e0276f089ae24b96a71f744

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d14817f4ab816e20e3552145197d96fa

SHA1
4bcace67f47bd52fc457d44a5cdda7f285efa98a

SHA256
548561d940a74b03eebaad7ef84c6593b075820bb02cad739003342ec3a6947e

SHA512
83883a488d0bc8900aa43bc8609ec2cea9a2e1d90c45c3ea6d677405e91a1f5fdb41c46fa2e98af881bbff5b840c6cecd14c0cf9428f1833c3b276f07917ca77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
476843d09aed609c025638f0f07811e0

SHA1
68baa04adf5dd89ad6b620dd8af178057ddb2e48

SHA256
51083d316c21f78cc07b1eb4f4372797025593d9ed2609baf930896d4adf601e

SHA512
e1fe61eae5af21b4624e9fc28503bc468edfd1a0f9ee105a6e282b5359bb87a8cbba3e286dc48e368e511e98b22a6ceb0a3e80fe14ccfe329963f16602484310

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a2927801c100c4b92cffcd424dc51e2a

SHA1
b0706cdc017dffc09e9a0d0deab1b561252f6753

SHA256
5c7f8de7220d61b0d93c09049c580801fa53856c281c85088ed00a044806dd8f

SHA512
5fc92421f7768d77233074e1e4d1f211b6fb806d13f068a4c9bc70c4549fa46f47d3eaf88887d5b6bd49c0fb43adba4c7b962ee3cb441a2bc10ebf19b930b02c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3684831688a2e3532d128618a1c44a24

SHA1
db9ed73e192d47c49ea650a21507e6ae3cc9b470

SHA256
ae4af05a09cdf066be520af78d67ed6f3243b192a5c7a26786d709f0119e9e9c

SHA512
2ba8ae2a81f0adc26943f08276f6894a5901ed8bf55b160527362fecf8783abf4e547e8b48921e3ae7521f1d94ea8f97a82827b853002c391c0fda4bc7a5764a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
de7e00ba43f4d6a529b9446ca1f7e2b1

SHA1
5b6b9f77d73509dc0eda9b36fd33c2a1169ef87f

SHA256
ab49f58a0419ef77e53c506ae72fbb4c7061ecc44621ce44b30d3cbdd3b46a98

SHA512
a6661ab94cd9672652d4c39bc4c9815c56abd565f0036041d4cbaf94bc01553eb63f026ca74164bad3bcfc56d89de940cf7c9092df118564e66cdcd831568656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
07942d79097961ff247d4ab5db2856ad

SHA1
a6602bf331dade2ae7ae9a070df78f734f304269

SHA256
ee83cf9f3458f4f8f79d794080bc9d40b02e0ac154118cd3ece5c4675dc216c9

SHA512
eb86df2b062cc26ffb36c95688c79b714e7bfaab2dcd423a7eec4353c3dce81e0b7c1525c39bb7840ec4b24cae691219e569589d0102ffcff30bad4d28f6d6c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
a4da3991d2f30294a4172ceb5b9386be

SHA1
25cb625aa27c3cec0d7fb22a0126c0991db9be47

SHA256
aa7aa1a6dfd3c3990ccdccb94643aee46628542fbac88ee5b27d129f2968a48c

SHA512
f5a7fd0be867b5f675f842e7e67e08d76f717ba0115d1f08c24505c0cfac502595a1449250aa4103f81a50a6f318a4796fa3142971f140becea8c3fa4ccbb975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
377d44317fb5d170fe0a5328ae5e8f2d

SHA1
e0e801997ad81600497399f6fc197eabfb0d5e11

SHA256
4a69d34d25037978fa42e168c3663cf630eb85dd5dea3afe99417f17e7304fb6

SHA512
eb6bbe8d706adcd8e669e00726086f002eb469506709cd5d110c21cd66983edf4939ac0f82249c1be1d48f0ce7d3bead5dcc6c2babcfe84acccf3e953e2f6d27

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
05d6e7638e4c9743ae51c4eeb4ce34f0

SHA1
ebfef636904fd363a1707489cb5c7119c40eb1be

SHA256
a0cd1ca42020663d2df70ad82abab42b76976eeab8fcb3ed9ee77247371a664f

SHA512
4b8f968845dd90bb96b9a1701b18df8a11ef2664634e6f3b58dc41a5505090e6fdb17f72019e61bb18ffbb925cbb3f6cc8d227f9a54f5908688f3b8653a02f35

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4c44818a7fcf7af3bd96edee0694223e

SHA1
bc51a97980456f4c667e91d78fd36e4e7c818174

SHA256
46b741d216ff17530f2fb4eaf2759a38a3fbb108e452793e029f451b6d6b0127

SHA512
76ccea6e4dd7dcee5513fe98a4e32d5ba4918aed7530349c54986e9cad45ae898b83fe3a876af9909f243158d5ad0df69061302dd983d2bc1b99f6e0d741043a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
62af8cbeb5e91ed758ef6c01e33f6cb8

SHA1
f416fa2d5faff25b1fd7ddd02d8056bf73c324ba

SHA256
e82f69ccb2c591a4c59d22c574c1e74347524b72d3e01a4379c93957c4a81c4f

SHA512
b96e26644199aaae82bb590d738262e2c298eda32fcfb5ed6c2b68fb49dcde82cef0a1015d109c032b4c5e7c0b63cdb67b1cf6f4c810155de42d7d583fc61797

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b66ec500ae1e69be502c51812b9b737

SHA1
271c8208ead59bf048e349701eca317f5d2d773e

SHA256
6ba641a9cfab92e06af07ee0b3f3781248c3a9db9dcd6929b1b4b8c5e361738c

SHA512
ef6d7170ce8570ed5b2453f25be12bbc7fb5d5cda7aae3b439f4d479a93339d5892c4a6646332df3b0b175fd899234a01647ba046adde4b50785c0541c6bf7b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f2f9dd5ad06bcb5c807f19aa7b60b5f5

SHA1
eba51f70dab1153a693583177a7db3829dfc3863

SHA256
d8f835eb63b59b83985033197c8acd20f67a012843c566289a4f719133014ea1

SHA512
9a788af6526fcbc8f57efc2e928f1a372bef0a8ca9fb49d8b370fc85068183db63b84d2620e98ba96d9242f22437de3b2b37599f32f41df76c1836a3318cfbfb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d39042f6195f15d4f0cb30e1dbe0a628

SHA1
a7824c9e28247c4cf81d88b543187ea2fc62ac83

SHA256
9e84a7227db015a393d3e6af60880a6d0f80753462815cf919dfce03266adb02

SHA512
e5b442cbe1bfeef2c15eea9739fe6eb78388b205ea9d1a287e32b32da5ceef05a0c2a7b645f012df08bf9e3e555e64faad249ce69a597897b2bd18242dc92ed6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0bf25d9b1ecdbb4aa9ea050dd2559144

SHA1
e228a6cf831b391a413bd036cb57006810be293b

SHA256
ac998a0121118a2ab36125f5bcb616238d9bfb1445eb6a13bbb08b624050d2be

SHA512
67c49544aecafc08d6419cd500af36ddad59575ed7da940d9b7b459812f158dcca536b0385cbce63dabfc8e4e80ae2b76573c40aad6fce33b24d1923e8ce3f86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a30ee415397174100de6fb4a79f70048

SHA1
1671edeb612ee66979050239b2a4cb1f58435e10

SHA256
dd894c56aed220f3edd98b95f9ff0e064d82095282c048db98d2c130e4dccc5f

SHA512
c5cf5759a6f8485c4cea7b96f34940fdc193c98db7d363793b5175776b54317e10e1440ab97505a09ce26b6491ec9adda946b2ef33ade1c53f9c1aef6ef52af0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
11aff602cf73f8adb70d99768613691b

SHA1
f89a1aa066964acbef342796594f84e3a3e853e6

SHA256
9096b7275734453fe1406134cabc3387671abd48257edda559a1c009e85bebf5

SHA512
eb8fe1239ce2ca450f87a56e8262f6c926e289e8c498d11e0985cf93dad73486cff8813e50d97023b29b257564fb5dc09df2e32fa1b33e3f1a85101558352230

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9b3f85bade2e013225b7a52d67532fac

SHA1
bff2032428fa4441770f80ae55ab9211230f1eb1

SHA256
4775b5c3e2099ee70a925cd90cd7e47cf2cd5455924acfa995050ba817560db5

SHA512
097d7f13ed73b8aa668f4646911904f70f2cc9f8a69374176dfe58589a923033404d0c64c7248096ec9ec65e61f292a1e49d9d3f2fe9166dd248f2924e103e41

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8bfa1c92b2545b9008d1b912f9b21b5c

SHA1
5535c54e5d63880fb29ffb48ae2398901ef77a72

SHA256
aab77c62ed16492f0c7ba89fcdf59005628a6030d3a511b866214217984d584c

SHA512
b8087db42782fca48da1be11e642df2e4693deca60ad52f7380f29522a0e26dc2cc4f31f79bffb991ce1d679c3d1ff720fbddeb65b09a10e0e7fab6b675a9776

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ccc3b4d2af13d61b32425cee35d14b7c

SHA1
fc544ec466d9288cd98107673b72b17a8b278304

SHA256
32956c6e9189373aae35dcd919db5bda3eb9673b4715027f704b8b9c85e21f1a

SHA512
e0ad52133036492324612a59a4bf4b269511acf2a0095d293962eb886b2e0ce3c87b74376cdc6675b5bf62810c984bf9327ab42b0f11dfe880c05aadff48c5df

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a15f58e6b02a553c265d1e63d3915585

SHA1
bc66a8a752e14fbb752a6a377eedeb2c7698e35c

SHA256
dfb1739abe2a2879ea4e8c170c181273c80f86bc890fe100fc8fa44a999ce8aa

SHA512
e5c7fb7e699262d3363e4362e774a08c7aea5153a7de0f59949cef95ff3ee08577929be3f7f3cefc7dca641d672b87254463c1f9c09a2b2d90f8e0d6fd821047

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6782f61f05ced59969256504dffa1b48

SHA1
0660550be56a0f5e718b8a51cf0c2560298555d0

SHA256
4fa93f681f662a3e8380094d3da809032e4af556ed9f12b1007af950bb389c88

SHA512
a5a41d4e97ca192c840e254bdf9109ef57a71f2e1cfe41bc92602a5b70b0041f31447a94c484ae3f58076250b9ffa62186a06221c0cf501981a6d33776315a32

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b9e2fef2100a5d5397ee8c0c40e937cb

SHA1
0d075a49855bfebe1c3863fa8c8134fe57e182e4

SHA256
a938c133d778b8e3a31fb39b1118b46c86bfe48acfc6d940e0e17f93001f5bf4

SHA512
b4b52c92a114a4915df2be363aa068c8f208247b2047204e8a394eb8b9e5dd498c92d85498533ae90b42137cb2498d90e579ccfeffcfe101903b56d6bae18f8f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4dafd05a06be08a17f5356902bd21417

SHA1
4a8705244b738d111648a337918231955bf3128f

SHA256
899feb385073d34d9d2489b712127552d77847aaae2ecbaa5fbe2e86ace5d46b

SHA512
525de4b2b60763299e92e3a2fd6306a089c8182ecb931a4971331d9d3e83679e46e7e0c19c3eb82a38a7e183c2cbdc1f9a39f16455d47afd6bff2427d1dcc51e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4fa80e8bec4c4f48291dc233946b210c

SHA1
5dfed036b5c0a2f35dcbecb76043eea35cd801c7

SHA256
58f44082f42a5d3db2c3e51c830b199967035ca5d84f12ed1ded9a5fb4cd9e62

SHA512
91f3b25f985f4b525ab2aab15ea694dde0ff4eecf9b74a74f5b6f4c5960e48dab03674afab94eee0fa8ac820e18164e7d7d640c687dc8d3b1a795817860cd471

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2388d5398525ea5922d5235ff2e64aa0

SHA1
0f6dea9960af1fe0aeb7938917aebc68787fcb4e

SHA256
4412e8eb8baff67a8f08f2cbe1bf3f243a29a82052f279bc93d1ebcb5a7b904f

SHA512
5017691437b6780591f93967dad8a026282355c00fbc501fd7cdb9969df8df26c155e29ab8ec0de20ca6f086460822e393ca789d501bfac050479016f791299c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a8c5514466985d7c8db6038fe5daecbc

SHA1
b6b904a3a87f693c2303d81900baf3788e5089f8

SHA256
f467627634ffdc8e16684d6d1875bcf97ebf13b32b7b2db6e93e2a250f5b7176

SHA512
59923ddd93258d5d07df447fc1d6c63136c4431481806cf4025bf66283d63d5a339021525ed26d80774a935660d03e52d0fe080b290d7e6540c729fc7687ef6e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2111158f1a6b906ae3941588a94081a8

SHA1
778720e2d347cbb69eb047a873455cf9857ec8dc

SHA256
b7aad3700895e33121747181f883e11488c6b3528b0b81612b243c21aec00fc5

SHA512
ce8b6731ad29804db2bc8de8bd9494aa2fc6f24874679cffa47ae64b3d4b51237c9ada182c6a9cac884a16cd7c88e462b9ae70cd005fc38b7e7d168cd8c41cac

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
88578ea27eb5d8e3c03bdec0c7f4b236

SHA1
6ae81ccc67d9323f08f9a6d0251ff247bcdaf074

SHA256
939074ef75a1e9f793a45dba2600b7593be6d8f6eb01e752e78fbc1168af88f9

SHA512
e6ec92d24f9b33c839f4bb91fe0d454d27a8ad91d7f4f0f86abaa42ebb8abc6cb983e7b5424613287d0dd74c89547e618f827237fc109097d9712eaad5286f30

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
ccb13d29f23751a31475edd1d51d4c1d

SHA1
d299cbb99160a9e3e1bf9dc6c07728e212db137d

SHA256
aeea10d82ac5587d07e869c2ee8f07b60f0a735baae8109dc21099f36204d49b

SHA512
97124828441b917c1767950d3ce81e33656c977c64223cd171c6d8cf32b0497d89e0fc989e8f4b497423260374f5e661294918abf5037fda44d67db71a21d151

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ab9499cc3214ee2e121b8b74e5fe6ba0

SHA1
49df6f4006155dbafa4714e59c84f22e6da0cad6

SHA256
8ab03f1781272ffa3bf30af304b17af9b0433daae34b7a36823a51677b5b9abc

SHA512
76644358b1b84b57001b951059b0d661104a76df486e2ccee07db640cf9bbcc00227d15084f1d65941729bcf4930b287f6029b35a8e994f1ed7218bd0875e559

Download Submit
memory/240-0-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/240-334-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/240-2-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/240-6-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/452-100-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/452-155-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/452-95-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/600-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/600-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/600-64-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/600-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/600-67-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/996-193-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1092-153-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1092-85-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1092-91-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1108-194-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1856-24-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1856-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1856-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2100-196-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2112-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2112-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2112-152-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2280-199-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2368-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2368-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2416-464-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2416-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2416-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2416-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2592-197-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2860-483-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2860-202-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2996-198-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3520-388-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3520-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3804-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3804-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3804-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3804-480-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4076-484-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4076-203-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4140-151-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4204-156-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/4436-11-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4436-425-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4640-195-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4664-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download