7b1208620256627e9c80f6491ce469edfd453b1f8646824da1f8f8e07a4cbe5b

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Size

712KB
MD5

65e2428c08386a062e108655fada464e
SHA1

05e36641c9b5bba57396294baf519a759d635778
SHA256

7b1208620256627e9c80f6491ce469edfd453b1f8646824da1f8f8e07a4cbe5b
SHA512

d8dbbcde2aff0c6c058fb1c4f94c1027179d74203e3a3af582a5760146ca7532dcb4e4c1c2b8b03b0c9c7150cc04e9781307e84a67db602462d0c797331525c1
SSDEEP

12288:CtOw6BazXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:86BGsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3008	alg.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
4100	fxssvc.exe
3808	elevation_service.exe
4376	elevation_service.exe
2780	maintenanceservice.exe
4480	msdtc.exe
3716	OSE.EXE
4784	PerceptionSimulationService.exe
3452	perfhost.exe
4952	locator.exe
5092	SensorDataService.exe
3664	snmptrap.exe
2956	spectrum.exe
4344	ssh-agent.exe
2592	TieringEngineService.exe
2692	AgentService.exe
3932	vds.exe
2532	vssvc.exe
2468	wbengine.exe
4100	WmiApSrv.exe
4580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8734145db4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c7b3e89edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ea16489edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c7b3e89edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019db7e89edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eee9189edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024983d8aedacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001822288aedacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009101ee82edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058883583edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aa24589edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068d8bc89edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aa24589edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeAuditPrivilege	4100	fxssvc.exe
Token: SeRestorePrivilege	2592	TieringEngineService.exe
Token: SeManageVolumePrivilege	2592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2692	AgentService.exe
Token: SeBackupPrivilege	2532	vssvc.exe
Token: SeRestorePrivilege	2532	vssvc.exe
Token: SeAuditPrivilege	2532	vssvc.exe
Token: SeBackupPrivilege	2468	wbengine.exe
Token: SeRestorePrivilege	2468	wbengine.exe
Token: SeSecurityPrivilege	2468	wbengine.exe
Token: 33	4580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeDebugPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeDebugPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeDebugPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeDebugPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeDebugPrivilege	3440	2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
Token: SeDebugPrivilege	3236	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4580 wrote to memory of 1156	4580	SearchIndexer.exe	SearchProtocolHost.exe
PID 4580 wrote to memory of 1156	4580	SearchIndexer.exe	SearchProtocolHost.exe
PID 4580 wrote to memory of 4516	4580	SearchIndexer.exe	SearchFilterHost.exe
PID 4580 wrote to memory of 4516	4580	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_65e2428c08386a062e108655fada464e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1156

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5719ab4ad3875ac41fe633d600681293

SHA1
26ef70556a06046e215d48967fad736a414cd70b

SHA256
226763af8a683caac22677e62a9a82a74326ab666bd08d0fcaa6dc5d1861b764

SHA512
b259f143f2e59b82ccefdfcd4078a1a9862345f878cf533a7c2cb3bf5e1fc9c6655707fd14c48e2ac19de438d7cbc21e08d8f9b62c91bcbd9a3042839a0f01fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
3da2b136520384a782665cd6b41c8049

SHA1
b1a5cd252366f9ce0d6760fe00ffd11b1aadb79f

SHA256
0ffec1975c6c5b3a892dfc3ef9cdb28bd4383363ce9bc861884c26a0904c9935

SHA512
30183cfcd951e92726fe41a6a408ba270bc189823f76b1e27a06fb4ab152f4ad377838c542d5cfda4eedd646ce952d0eee987e6659757a772ee61d324ad42c5b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
bbac5675efe02f501cee6fc1d7b6a0db

SHA1
7ea7534940101472280549dd47f45a6c6a2ff3bc

SHA256
1813dd63bbb01b7b3daf4f64abd8405318fb1e4a39f26de6534c4a4e5c80e4f4

SHA512
976b59eaec1459f3f9bc4f550866ea454cccdf657df4fa397370622acd7c3280f7f319f7b4024d5d62e10a73b1b1a91e13be78b315a4ee0d6aeea9a3ef2ec999

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
34fad99af681e3abe2e457488a73aa08

SHA1
207a9c5d09c577308b4129a1e57d2b70b0596dff

SHA256
b869acbccea39afcff7f196ac30d8d3bd593db531109b43061a4e764091cf47e

SHA512
a26afae70a19c2a95ee7e25d41d34a49fd309c2ea35238cc36e6aec835980f5790d42dfa8263375244efe8008bdabecd442b4a4156fe31cf67248f907ee20ef8

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
aa95e1fb2fc1c31656c880fd2e613ea4

SHA1
e8a6eeb9c2087e1b3b3962de38ffafd740bc6364

SHA256
df220d04a87ac498bb281e58fa99cc8e9e093ab8e02fc311d34e36dfa8f6026d

SHA512
1a0be39ee031af62eb01be3ecd06391af620846facb7510b618c8bd3fa9ce1e325f8fd8f4d2e3ef6f9fb4a7d7fdb8e724d6ff206c2d293d4c1d248f98a05a3fd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
cd76689301eb1f167e5a66a691414906

SHA1
c6fca282b4684ffff6f36ae99acc382c46c846ba

SHA256
257ac995e34a1bb5cf010efa16fb45941ad3c5fc5f9a9933bfea8c3ab12b3279

SHA512
e40916782560255a34f07331b503d56fc1f1d95e5916ae0f21f0fc10254091a8b8d7e960ce787c2c5acc352d0fc0a62318a97583eec7cd1f77eeaccd88c7801c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
e4f0256edcf34e229255deaf0d75ea53

SHA1
07bb2b681c777738e62da0d1c6404b9e1ba563f1

SHA256
213cc62830472f2d2f07fa509d0dd3923b8765480af4bdba4fb2b8209054f7ae

SHA512
5f8b2c54ec1142e828e4883b9fd7cd3e8039b03b1825e9e96f40423501aa0eb75850db26b13f090be0a2d98b974765862988af38faafac843a76e859dfa6cae9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e2302341e5864dfe5e33f9c428d55010

SHA1
5c2827b1b2a0ac5c3b2a68b06db206a2aaa54710

SHA256
c66fe7f599021528ea36d9d9a2eaaac7bc8c9c24f57125fa1dace3677b8abfa4

SHA512
42bd1d6d90f6c36c48d5c39477943acf032ed3999c9e1f65085ece86c70f00329373565cd0caef6ca9d0e5b7f2b5fdaaee6f7bdb4d39685ff3ca931af9a84486

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
5a686c116a01f7b953ecac6d19db83d7

SHA1
38298edfd63c41f8f19d55c19c984c8ff8bad3f8

SHA256
3f76ac85ae171cb7685fd328334fcd6d1d74fe69b5ed116fe54b682a26cdc65c

SHA512
3c57bd7a55b1a6cd51fe4e5767833e13c7dab253cf671b934c04c56314f09f065fd43c9260c3831716768f0170f2afeb4291cebf7be11249d6a82f3b65093333

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
d7ebf11f66b328582c1d5d900938af4e

SHA1
7fe47597e95534f31ea4fc1547034d1e9c1669db

SHA256
8bece64c4b40685cae0a4d49c1eda940a79fff35fd4bce58ee4a270f2e6ee46d

SHA512
eb30de0c06a42885ab72114c3059098bbac588879dc74bf0c41b3ff5f9e0870e64c8ee256ea57f184ee6b776c46af7bfe485118e6b08c854e5ae36fc38a69d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f2fe9df341b4e39ac812a410bdef3ac5

SHA1
86459893bcd1baa0bc7acbd1e0e86411ff9e0238

SHA256
3270a2f1ee88b0739898ca32b21cebbc407548ce7b5542a7e9e56e268d018558

SHA512
858116d8f0481daf5244608b0d2b496df6d29da9d23904d278d1c13ddbce0e6b36dadd2cb760e42d8a29e5c5aa41a29973c1499f127e67d0cf951cebebef0600

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
dde9b219216d5fbeef96cbf70b3ba40e

SHA1
105d05809bf50ffc6a3dfe30d461b64f1ae7d642

SHA256
25bfb3e7a1d5dad1d80d173d989f9141f7e3a81541f2936ce56e173f702e0118

SHA512
f4cf821a07f1a9d88c086d58b949c80fa99905e33028ca271560028b2a169310528cef3c9177629988856adeaaa481cdb7182e4fb9e9ca7b7c81f41272f2251d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
7ebd74b647cb4a9d900cd91951f270ec

SHA1
209361de3ef7f5ba5ae752479255acbb86766b54

SHA256
72e12d270524452c871b500610d6abeb72fddaad96cfd4b788d45986f13888f3

SHA512
2da4cfa88b7c005569a184cbd5895c6692b407c1c025b93a9e7b6a2c35989791aac59702340f41da9caf29f99a5b6bd6a41fc12a99dcbe0ae30679d80e6b66b6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
15b394daaf4d4e2c019e081ea1bdb8c2

SHA1
3886a1550dae78b8e71269b4bc01e29909f7263c

SHA256
157ff12bf9c8b4dfd81eda16159f581ed2c4d41816ce14c2f8d9e7a29a9f1966

SHA512
76a6a0d10012c8bb45e69d85edf87263cd21c63604c2cc06d66cca2a9ff546f641a30cb00f10ff6664213e7b474e2c7c6cbde6ff40a04cc303ddc1dff08fa1af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b91b61532790e49fd10ade28f36306f1

SHA1
1c322d860fa7df16eb63310c5ae17701b6b26169

SHA256
8ef3e369074f9b177d1c1091401404437f46fec7a3a6ac4cfa880ed5df972b5d

SHA512
bf06cb39eab5658e20d64b36f7f5dc644e8a8a28fa62b08f24204bbda1209429e85e002e969c77e3cd509900ff98064b93d6d241531aa8346a1567fffd9d2cd7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
62a650cea5b536c861a2bfff6148caaf

SHA1
856b35b74b5e402532fbada2fdcba669714a38ce

SHA256
3decfe8fcc86cf6f3ac05f0c4a4ffb102b9f1f10ac080d374abbfe7a63770c91

SHA512
865637a1271b2fdff20242851656c53b56896ab3afc553dbfa63fc3ce87773bc0b61d1ad145a077f7e32e7a991a53ff4e0ba8c503ec635431684fa9141b9300f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
629bb3f30afa3a63e87ab57d7dbe33b5

SHA1
05299a03e7375cfc3e724a4761647dc2988559ea

SHA256
e2d2b3e43bb2a52df35685f601e23e66133ee2d1bb07f4ad5f60648e309ac5d5

SHA512
58818015c254f7a6c4520360c06f7a83f39b6026d6a1cc718b40f84d8e3ffd6a7644b9f895f9b86c9a141100121a7960bbf8f25b050f86cfa336a6e3f5a636c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
77fc06b54643f96c4f8b688324d946ff

SHA1
8bb6eede04733e1ed069cf59b81563a16c129b5b

SHA256
6ec9d61dc8b5b88949620e34348a85299d4663712e1db2ea60d88256d3810af8

SHA512
f13ba762024f9849466478a026d968c22c5bcd19aa154b17d7e667033efaaf3312981dbc910883a2f2bda849ff75599d1966473fde5f58e6b2a6592a4b75f3af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6d41f0b6f7a6ca4ef75910e751582697

SHA1
5f42d0fff2d0c7be8032685bf66155fc013a3f37

SHA256
4128d7a158f77dbb62f255a4166559127a4a3f6767e4c625bf8a29db226fdcf8

SHA512
747e7741d13604516b235d1fd5951e4fc8bd18fb61cd37ac14c0fa6332f6ddd9897581f728d57530978fee6cf30f4b5698eed52e902a91bd7e85dac3f5c750bf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
19ba1e0763dfe1b37cda27a8aa39e96f

SHA1
c8f92cf2fafd6743b873ff73bf2135af723e7432

SHA256
b4dc233c8522408450b68daee240b992356f2abe82a3c74b49b889958d07f95c

SHA512
0f4e437a209cfcf274f7082bbbe13ae593f08634df0001a53cbd8d15cca7731cfed80864984ad4f163b164e89ce3ce25856820114d6a7c032ccadf05893d02c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
ab350705e0d3f26a698287eee9c4b8ee

SHA1
244965dca4f0896ceb29b93c0848d2ba368176cb

SHA256
646f0bcc8b630f7822c07748796e92cd7914b47e25d14d8c1016fe4df285662c

SHA512
ecc7140df514804244dec8bbf55133124365708f364e307b2dbc29c80aeef523d04036ff7af0d8e7e515047117c721e8b0bddec7d73a00171d14acc01c800c4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
501a47f2cd5b452f32c407d9b28d0b5f

SHA1
f692f88d59ce5d09a9e7e42a2d7a3bfdcb2421b6

SHA256
48eb88dc3fd1fa419487d79664587a8fd3da1879d4a8fd8e8dc8827a634b38f5

SHA512
abbae424f94d33eec0659120c0d0184f0d1979ffc7abcdd4eb720575fb7dc652399270b19a5a10851819848104ddd7f02461c88a128e86370b9951c25c8f7eec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
724cc942f45befb85798036e133217f6

SHA1
910043ff55752e1ca9bc469ca1535cb25086dbaa

SHA256
e617311e13347e2381e8a1cab8692907fd5600244b0b0ac57e840b341da6c642

SHA512
dba3f94847be685101de566a1b7d0858ebcf32cfaff3a68e28ed27463f87f6e3b9b6af7631a06e6712a90e8f63a9df10b6bc491bb232630f9149d0c9f8221296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6d4b4e29d3d740aea4faa1c6cdc836f5

SHA1
badd940e4a84c311caf63a6aebb344f5f54bc3c5

SHA256
16e830ff734d4ea8fbd69c280b804cb6cac1826516a6293ef9f1f74ca32ab0b0

SHA512
e8d87a83097012fb4dbb9d7e5ee2365ad6cd2d2e16b5753dd7c393f84d70c6879f0a790d762ea67f42d6305dd4972f3a0667ddc5dfc0df1a769ca616e3011460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
0acd0defb6b0a3344925ed567da9392d

SHA1
a419888cdc2f55cf43cdb930ce56a1720432a269

SHA256
ba5a24940c5545f888529d5af281339181c47807fc6a00b986704bd74b0247dd

SHA512
dd66148f752e512cef08d04cb8cdae67e008a49668bfb35f96c1e79c0edf2f56ca78592c462d0a3a2a16561a82c07d8c892c92fafc44b2c618e7957d7da2ed3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
02941dd2a2ce4c26957ec07b222807ce

SHA1
391b17c685ee376c123899f0536589d651e720ae

SHA256
3df8478ac7556f466b23ca83e9653891b0c7609899438ac4fe1da9ac8bb04a15

SHA512
dd3cf64762f462dbfb231696b40da18f47b9df15ab1fa64237223622615854df816c8edec377286c132467adb606ea85b11fec0205afb596aee84f7c89e541cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
0d978cbf07283f4c428dd687aaccca04

SHA1
0afdd70dd2aebd947efa903fcb88cce84c82e8c5

SHA256
0e7cde946f665dc61f8389837fb51752dcc146f7083bd89b9f5f32ec1005b0ce

SHA512
69f59f98e9c4e4d984a2484a05264e7df8e73851cf255ead8bd86e14c92d32bfa7be44ee114b3680fa48a4195306b2f489ae66cf0a99d3b5b58cd853c615c0a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
386f876294636236352b12667633dbcb

SHA1
03fee97a675d1a793282d1750886da19c0339d29

SHA256
02a2069794b5b6d8aea02a703a7834e2796aa1a8c36c376063da98a0e28e26dc

SHA512
cc4525d6564cf807c36086dfbb5bed18a39080a0b59e486c8e649a6583fdd91092a63c7c91d27e9c2e6a651f3cb81af3c0e55230bb65a3a2b0313a3f2e56252e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d2c4c89aab56681cd16d82bc859fdc8b

SHA1
6144f620e986e4404b8793f322256a06330b8d58

SHA256
4028ca5cd9af80cda373abe6faf5bb6ffa8be510356bcf7eec2fec8f7305b8ed

SHA512
d0443bed9f7d80d785e2cd012d924c527ef715145624e27e023e598e8326f74e803aedd773ce3e3619b5d5b449d46ddd4eafc57817e9acc92faab74ecfbc4057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c9d8b01118b68007861229cc3e4a0822

SHA1
c9388676902e5505982b2c8ed8dd947997b91795

SHA256
f5df4c147c42256253357e288baeffe76885ff898066f0f109258907f7b18509

SHA512
d583e0e5da839f39f09a50d2159ee65af98c8241fd31530986dc064fd9370663737170b4956106d8fd84efcc694f0ea8a765d3ccf35376f1a1b86174d542cf21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
6614b5c5beaf081ab22e2ea9ae49fb7e

SHA1
137a3724c1cf97b22f93c349b52e4048f15761da

SHA256
020f18ac0fd86f5cd44e38f1e74e0acd946953518c0f4ba4d25ef02a0cef9e9a

SHA512
20430848680f6cb9337f96fc48460d6db9c5851c9f2099d6298e538692e6875881d1f5217872dbf978b70f1e74bdd27b4a3709385a36c7dbbe08d8ff6bc42524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
27fa5ce80ae0a538589c7058976b857a

SHA1
08b622fd4c1e786315c422d4dc8b3419fed2b137

SHA256
635206010b446141b8c3b3ff40bf391f44a2ee9dea24f17088e80f73754e80e5

SHA512
1e5866d2afc13845a783c80b9b8ea259b965123650dc9f49d0892b5531407dc7cf3c004b5974d162c16506d08f127dc625265fef3921218fcdb3515698948c85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
e8547ff5673be095a339dd98805d571a

SHA1
1ad7af4b3b12142eb2221e2400f86b5e5b65fe3c

SHA256
f4c1385981ced44f9707bba44ba6851f1bcfc998481c455a1672f0c6767f7941

SHA512
96d23ea90041807f56f08a91eea37b842dc7cca7531bdb939428cda5c6784a62c568dd2b43427ed518ba390c147a069ab0bce0043e5557ce162383de507beb69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
ae40655cd59cac175c6efcce2704c377

SHA1
491d26ad81c8cc5f861f6283a7812a278947c2ac

SHA256
93e6111fd672026126d347fc69bd0d7ec49043732af1fec785d04b5d1a9b43b7

SHA512
22fa28fa295f7f7a214e5c5451d82e779ca3e322578bdac8b29e3ea235a9c155c300c3409998351b86229cdcb9482c0c436b8d5d021d00459f460ffa888a60ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
3cd14fa86d72f26cbae9f05ef6c8bee5

SHA1
ef940584cb564223b3ccc4e5c307ebc31cc4708d

SHA256
1b28c039bfac72ad8f15904de3b06b51713ce2c35528a1504f2852b6456bd266

SHA512
7d6e6cd961436d555c0eafd6d99d726416b789ebd14fd2899a994536d09103749c3714541c688342f5b389f313c371f203e240600c6faefd1bfdf48870cadf1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
3b92ccfaadddaee01fdbec5c3b84dad0

SHA1
498344656b39fb9dd50cbbd68013f656f9c0db35

SHA256
a2ba1a0e939821eb966ebb9c1ead4c831213feaed612ae0ad8b504839ba72a3d

SHA512
6e86bf013013ef11c965873302e6a441d7d30f3315f7a3348880e945e4a32de9d12941de4f58fae31f8e603b927391f29f6d11af1b541013fd88e9a8a0e1bb7f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a557c73764ebac7921ae5c917d6b7e0c

SHA1
eb35c99b473adc86791410677ea5866e650bcb3e

SHA256
767346777a05f7bbd8cf84cad77cdfd75ceae76cb2b56ad35d3f33885591971d

SHA512
d9c4caad1962db34d3bb246526a5960fa4bea38dc488b04fd1092a8bace798af4df90ebf33af5e14ebafeabfcfce76e12a69c8c616f26077bc0bcd66d01d0c0f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
10ce4fc6d18a0ae8c72748b3af3608b5

SHA1
58e2a6ece2098b86b5332c2eb842e745394f28dc

SHA256
98925947c2f943626786ea00ea5e3938d2af63d6b4a1b3e631dfd2697824104f

SHA512
f7a4fec51f674d3a1017f7e88ae5f6cfa5bce560f2848bcca8c8671a277fd55a330ceaafaaca38ff7df20a783439ea7bc00b53fa5e74ba5cce7a4c9d7a69d05f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
12ae209f54a7049c0f89169d4a846396

SHA1
57bc241aa624fd09d55b2e0fe655977942da20e7

SHA256
f80aa1de597e3998257ee6ab92e29bfa176c5523b463b8eee7a2a2f622548910

SHA512
424c0e3e5fbeb764d644634fe35c345f997b106edc289924cb642a021960eb4b9d1eace0912f8da7aa74fd7ceb2aee4d32ae7f9e3dc13ebe4ea714781f6ca3ea

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
91c24a1ad6db199a2dfd6410b831c3bf

SHA1
5f807da9ad61eec94d1021b8c45c0bb45f3bfed2

SHA256
f7b3d94f6898a7c7a95b01279d8ca05db735ea60f0c8883b5fa9927ea8b8b654

SHA512
203da7025f1819bb497e2d47079ce632f0882b9f846a1a49e5b55a3ee379ee43beab2e0a8824dc303f04723de08ed84ce9b06c47bd2636cc0b7271751c52e4b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
bb59b82be2b58a4f8f025332d80e4255

SHA1
5cb80117bbc4de1a0f6ba01ac9cbb91ba2d04472

SHA256
788899f7f8758490a2df7536310e4785a28e8fd48266fb690cec351863678ce9

SHA512
bf1a1f19bc2fe319f2206840c1ac4fd5d9c7a0a76b7e71b50c51cdb1a495f4e4a629c9acf7e906f119664925884ed7b1472edfa25c47132b9bf86af595fb0c5a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
53d77b70f505710f015b231dc3f482b6

SHA1
b5f9c06fea46a43a67535cbee8e4506f1ce691b8

SHA256
caec9cf083d9f67f0391dac539fdebba294c1e2e274896ad98a0b5f87dde1a6b

SHA512
a2c805592fe6bc77913f73042cf40b640849784921e0c26a54bbf10ee2ee0c56cdf81135aed322fdc8fefd334d18d2f31e4ff7941af28699c01b7b84a38d6f4d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
86943eb211b830868b24ad20fd654ba3

SHA1
d070c233bce954ac90e5a0a701fc5e3bad2dbaa7

SHA256
ea751b26fce4e2edeec610c6a42befb2e6cc996d8fad3ced6b1371b820baf33b

SHA512
d41fd24fbfff7366cd72bdbdc466342bb9d0ea6d09aaa35ae4505c66d53da2e7beb477458d3ba23529d2346dbb9f24f500ef9766ea335451c10ef292d1d0702b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c8ce716d7b1f059497d982c6c83fe926

SHA1
26c5c98544f999fad50e38ce66514288d80a1132

SHA256
00103b9b9e127e2315a88f58f31b4ed921332d012ee4a28a2d8161a87db9ddba

SHA512
906ad00e202e7f146f747353a5a0306ee9e23fccc980928e9fec80467a7837bb2de735a1addb869eaad6c7f82a8e698f65311281885fcfa77aeaf51c61db8bb7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
6e87844350617eafeaeae9edee60f05d

SHA1
65c062d85e4d8abe0848ca20096d22cc356a09e5

SHA256
8567e499244589e9537d5670cb0c93846fa11f8dd30d1fceb6c07c0ccae9c648

SHA512
e386ba7a1b5c495caa91b44a7cda5d6b4a7e7e392074de0874550616da893fb609c5214135cd1ec289e2c1c580625e7518a74f1fc6b4c8ee1f4c3ccd0d3da19d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
229e78414d8d5819ae6ad4f98974d082

SHA1
11d342f9d619dff2a243a82ef4016e8dfd74e413

SHA256
96f130cd7a0b91bc965a01b72157fa096ec5ab7d705809e5f4bb16125f199712

SHA512
e9ce5d7ef702a1f65fa5b847130089deb8477a75a15bd465d3c91f4bc70a7cc3876a76269968896b64868a710c1d00ab76d7396eb5a0208e6b8ee4801bb400af

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
034a03923a66d287c125818181f4762d

SHA1
f4d01f375989be8af059b49423bccd209d4252be

SHA256
0d0ce8dd0c468bc3a7ed65e08fd2e2e96aa1f08a4826d1eb2d87182eb834e427

SHA512
74bb517e88c867082ea60ea02a264c8f0273c6c844f0c023cedb4ff3f654f840513566d5b3ae9074f2423a7014394e4a3de622a1e3ffa5cd1e3a07b7e9699978

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
073be89936aef559419f532cd48bb52a

SHA1
32f045cc537574617f61ac0b8ca8c59333c17b96

SHA256
e3a177077d4f6a2ff26aef354cf088c03d282409bd5e282dda09174c21bcd56f

SHA512
662a6f9b2630383a96489cb014e955bf0e2f8604d404dbbd5ecb00953b0ee9035abfcbcba067a0cb35e433fe7ae06290f32ab95f722021abec3bc80ca671d05d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
317f0075ef488ee26da3184167aea962

SHA1
42624ad8a0c8db9438c9c08310aa77e26abf53aa

SHA256
e610d427ab1549c1069a1dcb73fc439a6efd3e30d64977017b337d80aa45c03c

SHA512
f990246bb0e3479ae092a7294741bb39b1eeb2bb8badcb7835e07ea3856de2382fdf6c6f7c9f8307b10e72505c1c5f5f1bc2a149635ac262b94eed3c86510c91

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
7f651470b41a992bc208cd9ff108c983

SHA1
c49a3905e097af05b7e5cb13a2443bb2b34ca059

SHA256
0eb42c20178592b7d0dc6004366fc49b452d65d26fd36572360133ecef3ada44

SHA512
13f50a2f6c558d72158ba6cfa51958cf838a10a42a98175a50184b165d185129ffbf24e5a9f486652af41cc219b18b52cd0fbad883d556096847429c559f07a7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
fc8ab5e84f1c01915d73e89be0b99071

SHA1
115ae3c9fbac0820c989d3fc1b8db54f6885b478

SHA256
903c3bbb19443ce1743e1d03424ed40a0e13dbdbe3ef635d06197399efae3c3e

SHA512
935a1dc5571064235c8d277b3ef6874dca7a5ccbd9489b7fab4679ae8c7be118f717778084b5ff0f58e4e33d0684d794d0e9dec1f42602587d3f7e7d55fe8768

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
9f7ac63b7e513d05883072561af00b2c

SHA1
9f6406f42311a27507ab378ae028c593ebfb2a91

SHA256
d6349675bbae20d071c8a07a4b1fe92009f68c6a3a655bef4c1646e2b4b7d0d7

SHA512
fc53e0a8f39ea81841487bca683510f3507c4e2dceb30aa512f3bb680f7e28bf6178f74596942e1a0bdf51ef266c1048f3b40b19ac217f50e3064ed77f47f095

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
eb82a03d363b66a0ab0ba3748291e04e

SHA1
468e2393a7ccd185ed63526fe0da1b068469ecc9

SHA256
28410352fa309d43a576dd71288c126a9731448105d3788a9180ba4f5775ee22

SHA512
695969b569cefec4540d0039c15dc6c0d418caddb453143e72f46bf11e70aea23bb86ea8f0769af2505bc61dd44c37581263d34ca0a6a63db47befe9217e9549

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
28b8b7109686ae14765ba8cedb26901e

SHA1
8ee6ab52bc857c34d197eb86ab55eb3c06702a44

SHA256
7dcd8dfc82a83370476e73bf611232477b3a9b1902951eae74b33e8b9d2e324e

SHA512
d9928690ad4f42b10271d6494fb5d269eeef56b8ae227ace4291d68f743ebe13223e85e19a0dff27325eebac6340ab4d57bb7ca29f09c62b5921fbdfa1f4feb9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
cf836444bd8129c217bd924804942976

SHA1
0c0220c9408bc4babdbed40ec8f37a9679199076

SHA256
93ecb029879081a9e2b008970ea8681f2cfbba71b62e16e2b768632bf53f3348

SHA512
ff34577fb72cc9dee17a8d0fb1e16d293f8be1ae345e8997bedf0d6391c62a77169ff28fc71c4228de113719882440626fe636c101d6bc2b35c710d7337ef294

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c8e32cdebb2869a32af477166d107f70

SHA1
7673b7fb07b513e3c55e390824a54d990d227d0e

SHA256
8763e5d991aababa08cb4e7631efc66faa730098da95d6995664bd7a0453e89b

SHA512
fe9da2fb7958a94afac2c80d0dfacff7f9fdf6d2ba455bcba974b8cbf1c46f264e2fda02a8618dddac7745ebbfa0137460d2911abb83c35a54ad9b6461508011

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ef103c11398aaf048bae57b2fbb4f412

SHA1
dccce26ff56efcfdc9bff211d16ed1638209232a

SHA256
b553a2d0f67020cb72dd0da3b677d3620c6d03610925c3866427859159ed14ba

SHA512
a2e7d6d13a1e6b2c2741849f82a54011481fc63f48abd05711a2463789f9365c6cb2409a7d0148f64ee1f74c90a763f783901e8cca2473a001b840cd46e14073

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7aa97f646bdd87e4e82791bf5dece751

SHA1
251599d62fd4982615ad3e56f0e0c656231f3b38

SHA256
a0a9b45a35ddab0e9f7b9c44c1057a4063356062502de74fcae7332b9bd54ea5

SHA512
5b7f2f534106e0cb742265de33902d058e229018c12f47b6cb9ec1786619e154b82723b2a9fa1426d25bc23196598d0e3763fa0e3ba6c3922f81e9d9f7bf79aa

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
5153544f57769d0f1d082fa85369f481

SHA1
6673ddc3f5bafeddd00d2871ea296ea1e4dc001c

SHA256
e31fd4827ec74d4c36acc395bde08115a675a4587cb804a0f479bde55a4d23d3

SHA512
dfc2090a0993cb226ee29b7108beb684b9e7e1d50d9ee601f39603467fb0cc02df0070ba7b55d1608f614b38cf38abe48f7e5f0632a8eff4ff50b5f6454ea0df

Download Submit
memory/2468-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2532-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2532-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2592-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2592-451-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2692-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2692-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2780-55-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2780-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2780-65-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2780-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2780-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2956-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2956-121-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3008-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3236-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3236-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3236-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3440-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3440-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3440-87-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3440-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3452-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3452-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3452-100-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3452-105-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3664-366-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3664-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3716-80-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3716-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3716-160-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3716-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3808-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3808-31-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3808-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3808-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3932-161-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4100-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4100-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4100-455-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4100-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4344-368-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4344-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4376-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4376-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4376-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4480-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4480-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4580-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4580-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4784-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4784-95-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4784-89-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4784-169-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4952-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5092-365-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download