a1e126a78f6c553c8dd3308dc1c4f17b4e9ffe41795d4f7d9d0be6f37b53a371

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Size

1.8MB
MD5

7dad17ad300beab2378f81ac83b4fb86
SHA1

ba1cf5afdffee375511203bbacd45c677db542bb
SHA256

a1e126a78f6c553c8dd3308dc1c4f17b4e9ffe41795d4f7d9d0be6f37b53a371
SHA512

ec198d3241c7618e066d16199b9d070c50467dbfe229ee26b9725c25c2243d82ca2c9288273412c5b9c076fe61b778dcb158ffef978067c56bc1ec0905fa3f6f
SSDEEP

49152:GE19+ApwXk1QE1RzsEQPaxHNF5UbU62FAQ228QKl:L93wXmoK3qj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2764	alg.exe
5244	DiagnosticsHub.StandardCollector.Service.exe
5076	fxssvc.exe
4512	elevation_service.exe
5216	elevation_service.exe
3104	maintenanceservice.exe
3288	msdtc.exe
5148	OSE.EXE
3472	PerceptionSimulationService.exe
3536	perfhost.exe
5488	locator.exe
3292	SensorDataService.exe
2096	snmptrap.exe
6008	spectrum.exe
4336	ssh-agent.exe
3712	TieringEngineService.exe
5804	AgentService.exe
1168	vds.exe
1876	vssvc.exe
2020	wbengine.exe
1860	WmiApSrv.exe
664	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c91e6b1e8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff9de96327aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c36c9c6427aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ffb486427aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000687146427aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be45956427aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d723f6427aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002438256427aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000267ece6427aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f1216527aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ba3136527aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002205166527aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007827d46327aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe

pid	process
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeAuditPrivilege	5076	fxssvc.exe
Token: SeRestorePrivilege	3712	TieringEngineService.exe
Token: SeManageVolumePrivilege	3712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5804	AgentService.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	2020	wbengine.exe
Token: SeRestorePrivilege	2020	wbengine.exe
Token: SeSecurityPrivilege	2020	wbengine.exe
Token: 33	664	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	664	SearchIndexer.exe
Token: SeDebugPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeDebugPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeDebugPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeDebugPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeDebugPrivilege	2428	2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
Token: SeDebugPrivilege	2764	alg.exe
Token: SeDebugPrivilege	2764	alg.exe
Token: SeDebugPrivilege	2764	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 664 wrote to memory of 3376	664	SearchIndexer.exe	SearchProtocolHost.exe
PID 664 wrote to memory of 3376	664	SearchIndexer.exe	SearchProtocolHost.exe
PID 664 wrote to memory of 2852	664	SearchIndexer.exe	SearchFilterHost.exe
PID 664 wrote to memory of 2852	664	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_7dad17ad300beab2378f81ac83b4fb86_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5148

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3292

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3376

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
34b6b18541c7475106d083515356200a

SHA1
3b38f47975b60c72d65dceb2fd2a98647aa49661

SHA256
4fcb410f5faa34df310121b2b46e04fb1ecea5ef998bd528c90877012d895df8

SHA512
5e2faf7bdd63051087418b79f85e353e612e1e7f7f69679f7a07900353319fdff67a2eb8ea5a3c9d953cd842fd865d553930fc27cf83f61a41c719e8bdbbf9d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
e44ad6f8ee7086910dadbfa018c7279f

SHA1
16ba55d6cfd3da164d278c41454b41d5cb60287a

SHA256
7894e2499effea603a77afaaf3032aa38d2beb6ca33e6cc130f44593b9294e9c

SHA512
bdc556eb1c855edbde863a92bdc6716b364fb8f37e213d715edd68795a8c07aa2192a01ecd49477802d9896c2c5455434bc430c5ea91ceedb6aa510414ba65f6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
593b2922e751aed9b8c0609c799b61c3

SHA1
7e7ab15781101112c705881f73dab9110ae175e5

SHA256
dbbb519ba3776cd29e0178950d3de86f7ec5a42556dac2c8a1ce99989ee69454

SHA512
b592daaaf9ff5966611e373949a93fb092a2b7098599ac46dc0bb416006f0713759b44b5d84767dfc728a851986ce298ecc872b60e2ad63d73eccfe7484c5c6d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c94fb2338125e8fcde382f044ccccbe4

SHA1
7f1b0b19138c51225393774f5eaecc6fd48a4a59

SHA256
7cc508a87f657a7fda7fca8c8b3d62d2514f0a9f7eefaaec4cb634e4c835fb54

SHA512
130fe6df0c3d206cf0991b71eed9aa3a566b783ad02e566c11e924ffb3eeac61ea1879f5276882017c36efbbc39a96fb7cb13046ee10f2475f2ad98c57922a28

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6a050dc72a0d4be7bbf31d8fdaab6b9b

SHA1
b1f2a47318bc2420b7e1d7d06710553f71b8656d

SHA256
3052e52303e83ae90006581bcd8e40fd28043c86b22f573b1a00847a409d5f99

SHA512
122e0bfde76785887dea092c29ed63d69cfee5c5111c352e77852843b4f49f9514f4861d1a42c9be4569e3ef6de5e990b33ef0e57d236282038804e237b0c448

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
73a5600afb799523103bdd9a37dcd19d

SHA1
9192760fd7e41f0cca13766c0572f46b0057721f

SHA256
c2450421500518fa16325a3482494df62de567ee18300d5f2e0d4a628a3f7e01

SHA512
9e603ebb3e1f833e27d13cf16d832733db1b3006bcfdbed59277957af2fef63e0e201c9200399187405495b84e32fe2a9b6fa74efc1a93fc8fbe789a4dd1a92a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
1fb9af79d1423bc953362c25cff43558

SHA1
4fcff5f9bc74e7526aac9f67806e148a0d435ff3

SHA256
b22c7a857c2498ba5737900b890f582fa59d9cf1d168d2c29bf9ba2b97a4ec7e

SHA512
5a0cae7ba71faedbe102d5e7b3754e90fcd163645fc0c8b81f1392103fc1ec7d94c2a5f388368d7f6e72d05213e2a298d40a09e9060a2a121aae95020c7b9925

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
12a287d70af73890dffb874a4fb708a6

SHA1
afd351c58b90210eb44bd2ed8d3e27276ab2e787

SHA256
8331ddf0e38af3a42a5ac3b39db5a9f6bd08e29fc8d0746042bfc2a81ba31bb2

SHA512
508c025018cad669a1aafafd2f26fb3b7c03f8c2d09fbdee9fa4a0fd6fcaefe5860fdecefa78a64f76738ce355ad9dcc9f70d303fdef4112202e8a11630296c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
983cac6ad5166d98e03154144667c5f9

SHA1
3da312d4363f37c04bbf2c9a9569041cfb1e6a17

SHA256
cca23b458547505d7204f5733627cbd068e853f0c95312432b234e9070db0bcb

SHA512
9b1186aab685a76a061b048787b74c91885ed9d8ab1eabf65871e4c69168b8bb3b0d38fbaa7b361a563c5ae5aeec104da14217381b46eba91c4d056bdf008b16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e25a371bb1c21adfda5031bfbbdbb586

SHA1
beccd3ad14ce47bdcc4ad672a1daed1df52f21b4

SHA256
7ec8ec5fe9237a3761779b9feae8746dbf41a9b9e21085f5b67c7c58584ef75b

SHA512
61ab7dd0489ac20a522d43fc8e678adea7dde00a4be89f96796da1e4584bfa39fbecfe64ca286de7fa8d1637f6abd9f072fa512b7f242a346466234ab879d67c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
660c39d6bb8a3b48a1b18d762fec1bcd

SHA1
5804f3c0b4abc5604f2172f8d242bffe4d1df5f5

SHA256
0539aeb390fbbe7d0f15fb6a8df3bb7c39f30454a0a37f3000ec5708d28ae311

SHA512
b6e9978ae61f229cec0cc9a9138c69ff807762ac0b55d7c83f29fd7c57289ed64f0bfcca84402719a46fe2321f1aaa0aebf9a5e5c256be5cc7a6adb7b9e1dc71

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
8660bbfb645a9ef016829cd72f3df290

SHA1
753930ae088409913505aac128eef032bbf045d4

SHA256
017f28ab41b1ddc0aa8614f78a1bd49bcf6dde5f57e5750110447388c0076d26

SHA512
7c7f2f95a07258af26d1e829f53e1f6fe5866c6207c35911bf2cc322f6c43ad88a30b37ea56f838298bdf3da8ad040a33c65ba7d378e76cd09c025f52e049f63

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
a65d80da5e8af855cee7d2add3febba1

SHA1
302526bec233a34f18dea14da3775244785110c0

SHA256
ccae193d258c78a5da689cd86018e0bf9644e1850c9523f5a7a45940a1568f08

SHA512
96b0d16c0a5b122a7b7513deeb5de73aaeab45945ae391b63d76819eed5753f5fca024cc3e1898e0fe7a8f67f346c8db2e37ea1a35a66fceee3b63691a3b6a18

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
87a177633cea9a098f9d7b4cb59e5f13

SHA1
7fe774d38ad5d2157788ce8ea6fad3687907b206

SHA256
3a6fd493e2545e2dd1e67c6f06943ce94b516596c0fa927264d3998632617519

SHA512
838434fdc5027e2d5bf6fe7f90d7bd597a5186a1aa2a9dc7d861a2b8e8b30a924793040f48fbbe26b78ea9c72b8f635087a9b18214f9c49ca91c4c9759bb4242

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e83e42f034a806c6a5354f8c4af4588b

SHA1
a01d9ce09d5ce23270146ec9fd01500ffeb0a2c7

SHA256
eb27bd1376b8002b0a66757c0c615ab78f0b33dbd48f654a14f611b3d9d20555

SHA512
515b3aa8516f799a5edcfac72a1cff8fa300f46e2a699bc08f7aa4d3042900a90e090c2889e353e1c8976c31a329a2439ccb4fa01e3977af9da330362293775d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
414bd91bbe10676c32bff7ba5271fff5

SHA1
e26eaaad52889812ec98d80e95ca42effb25c684

SHA256
1a6a2bb6c04e0705ac07d9f8f260dff445adc54dc8bb8217f44823054642a028

SHA512
bb5d522e58ddddcb1ec20cdacde64278464da1f4c6752388a9723dca55ae822d20093424fee5e56e7c4959cee59cf07a4597700c7f0d2017642feb028fe16c50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
de00b04393e9f454839581ff4d71af17

SHA1
767bcb26a164b32747c6a4b3e755deda7d8c71f6

SHA256
7f94a200d18416df11db56969f0e34bdd016b58b944e8069044fc4420e26bf74

SHA512
ab3dd15174cb4b3b0f075a4d9ff03421ebd9f2abe5edc1fb04ec1c7769814d86e0678394131f7400fe9593099b3949a28dbe3b1e07e5db6c4a2246903a5db935

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
dede2acfde07e464e232df32b4c1ade4

SHA1
78c8293307fdf518b7524c06215aa19a28470863

SHA256
5aba9b92e9ee3cc2dcbecb6d67ed977be3a680cd39a1ed9bfb4694b7c967e91f

SHA512
6596623b956250fc38d96dbddd4e8e37d4c56b52576d2a9f12c0f312715536214caeb63ec926e75192231e34a169e9acef09b78743c46f6da7da0b7e9a51c5a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4c45ff7cbe3154eb0f41ce38ef083462

SHA1
3b29965446f2030d6a60b3dc40d15c7149d5256b

SHA256
8c569272bd05d3119f33939a405844b9f612f4d9e97e02306964dcf9f10aeea1

SHA512
c9b844fa0da776c3342c87abca774d0aac38a26573826ede18f53d6172635891db2fdda3d76fcf86aa9046d582adcf289d0f0d439c59d4d2a59eb3436d3befd4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
cb739b9771c5609ab8f1c1fee3bed0f8

SHA1
3350bafd205c47bdce831af8d94c8abb5fcc150d

SHA256
4732d5ae9c66ff956326c853fbc23c6df9b960b37ce5f46670e991a92afa8963

SHA512
bbe1f8603dd53d20bb7f63806404c7cb8daa9b925be01879a849c96ac9b648f8824e901bf3e5ccd0b1d9c39253d1a4e86ca4f9c612dc18b2605dc210dd8ef495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
33db6cd3b5215d78b98f5f2eff89f8da

SHA1
37d55654fdaad86d67bdec8cc618da4f77139988

SHA256
9c54d523756ca7593feeb86207cc56ee4eb90a44904ab4b3125b912a0eb6c1b6

SHA512
df68afb15db25d98c448c0b24a8d2c6daf148edbca69d38b4efa31cd555ad3117c490dcba6e7b15626fb7184783e70740d5232d7e95f98ed6159c5f452fe9312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
b52c451a27d440c3828989ad287c78bb

SHA1
680f80e8c1bf4c3c412eec5351292b5bcf4514b1

SHA256
95b47d66d42b6106317660d81fcccb956a6976c40f14842770b4ee2bf7292d96

SHA512
030be3470ff1c5e9df775694b44ad0013d2d9312b0a32bf4551294a8f2a1b08508da08723d995f4565b92a98ec6b4ed7941f3a578774e79e0e9edcf9c58b62a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
e7910f6c00f8bec04518e9fcf91924ee

SHA1
1330ac02f43bef19781e44dd786a1037d1663633

SHA256
0bb8cc4dd79a31f0dba8603d5437ef81f9549decfdf9493ed1da17443354220c

SHA512
eee0267b2e35c8996859f4ada019b9b291ef0f808a36df994de5068c46d58b1126bf5f219ae797f048b5a63047ce2daacdcb1f07a9144a7a51e7877b1a8a13ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
aacb3a383d3053c5e582afc8219137f0

SHA1
b26ffa66802df260c4921e370cb1e0f96c57ae8f

SHA256
e0fd7ae9b1813becdc16d70cef9ddb6d73b91d6829f285a4a99e98ff1e54dca7

SHA512
9af345e1335fa848c8c95bcceb558d98d4a4e72635790c7d0f0180b31589bcc582711faa9f72f335de05862555ede84ea718673dfd1618f6694f1eb83e7cec27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
92957d26aeeb114dabc9f852740a6509

SHA1
449afc0c2b0616dbbef8f35d3daa41336c07ed8d

SHA256
a53dd16870c49ee954ecd73a3072d7ebb29645c15c195f47854c64d26ad9d56b

SHA512
106dac09ff719ccfe2be38fccaaf28e4e8967cd6291650c2026e092c7a21dea8e6b7a71857c3fa8cd95cfc70b5f73d7eb7105370c8db8d1955b8d2a1e509b9a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
226e72d91b32f72168ae2a44e00a578e

SHA1
fd1dbc02afa6b7191c0e6f90696badde80492345

SHA256
46048dfc874ec89280d1a60a16c2860051d0625f8277ee9dee1976805f735195

SHA512
9081f4d2141d8258b8e6f0700d049a8572bc5f3b44dff6692d053cc096015689b6a63110d74b5d49a28070ab4f55c7111a334cd38f4f26507907a652048ad7a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
d7a998d3394cfbfa92cc8db816d4c173

SHA1
dc0ac3acd5531d20af43e8ad1c7915fce8afa3eb

SHA256
282f0e7951d1e8a1430ace7616f70bba407627200c5784727a6367c054eeb3bd

SHA512
16517fafc41b1e6735a1b589143b30641944f7710c9296beefb8a8245a310b65a40f91d2d3d915ff315ecb51fc07ace02d9f23f6ed92118384038adcb3d98d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
c88a8a17258f928ff180d906018feea4

SHA1
dac4e489066a9a059ec987602e244126daa764d2

SHA256
3cbad1aa993b168ac67b75f0fb5257b5cb572adbe75890cd68b54788db15ba1f

SHA512
659e140c16a232c51b5e6d5f63a679cf21e3d9110dd861bcf278831c0f5a676e8ad38bcfe429542fca32b2d5e701f5e40fcef9b76e776c09adaf72fad09e8b64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
661ee4655b4581ba65baee0d42eb113c

SHA1
7942859e2b5d0494aab212e2155004940c86cc25

SHA256
38b07798e83cb2bd5dff4931c96e49654dfe04dbcc2dc10b1ae9397cf0de4f6c

SHA512
48bcd3ebebc4cbfb17d1aeefa56d7cfad43ab053bc6d0fe5a9310e3036a374bf964e693d4ab3c4d437a190d57c604efa02efb08ac932ed19f05f51126e37f876

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
cafba6d3a53f61ff39d3245ab7fbb84e

SHA1
66b91fbc71bcdca99e9c0aacf499b20befe4865c

SHA256
eb275a50770e2c3b560d02842003cf3c87190ec7002ccc5548e338adf74a05dc

SHA512
b09cd7245a8976877613ab81b286dc20f46822ae19c3a4016ee88d5a8db0979402fa9c81229c2b42dc8a29e6c5d00ef018032b03e37c4ca0a690041d5d3c8feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
60f2aa6886032e4cf1afd7684d945244

SHA1
7fd8351824a7d40625db05ad6638120639536890

SHA256
49d79c582be3b6b9b742a94e26597086a502f48f68463c54470cb48c82edc90f

SHA512
df3204b0d0bba2b35a1fda8ddc607fd5a1997e652294a7a9e18f6bf9cb8144ef80b9f448990a93b943a0074a2b8284e1827635c0802586af268cc0fae40b13ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
e128d47e11f6b3d58bbff643e42a4f20

SHA1
3d01d7aadb5bb8281dc8073b1d28492532602058

SHA256
3a47ebf00e03f477ef506ed4327d873361644a8c95d4a83526e65e0a89fbb475

SHA512
ab885e8ec4e9415c66243de9ae6051cbb21c844584a6e9f06aa17886625df27505536cd16643535b9b940faea8ae3e2f546724acdb0fe8c490c09e7e46ef4e45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
bfc11f8e82a85d5822065aaa895c88d6

SHA1
02460656dfd2788da1453c61f8258a71998dcb8e

SHA256
1ad09e2d9d8758839d9049cf026bf6074bddcd32c85cba88d1160fbbbd785802

SHA512
4ced3c6d82fabbb04632aca5e4754a251f1af421b3746ca8a279ecd1dbfa3808b4fc232b79f99d64dd8ff465e9c7a32bfd62a66863e8e48914b3f81c87257ae3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
8789159633ba8fe53be509bda691dfa2

SHA1
033105d5d2e44c14b8312c011e99ddc300833974

SHA256
cd432a4657dbc17831befa554695fbe5b642097a3bb7071db1d16d43d2996b17

SHA512
f132cdde9fe91d3237f01ac77aa8392842617b95c1d79ee16ee8993d71894f9e0f339d1f1f5a00bc0cc2fc5f3a9b3c2aee03c7bfa0291353513d029e80e9fc9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
d65d8afd189512109f7f525afa458a87

SHA1
c8d2ae30916b0a4663844c8d9353feba11bed959

SHA256
db0ed447d2e6f9d283da5e5b07731893abd437ca7b47af55fc80d0d2fc5a9d71

SHA512
62f0de0f96d4b18fe63c2df266562d972bc1f32f0a50a7195d6cce838feae1d33aa010e2a6a825c77a098cacc53d87534971cf603738401d8d0a361b4973f63e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
a031637d9b839d46a2d5e42a2d8a735a

SHA1
0d19602f36cf36893be0ce2eaf60bebb27d9c61a

SHA256
699c4720b21600e38e99bf77b263b4d12401abac3459640bc90298e9f3bb60c4

SHA512
5b93fa67e2b45d9e3dea8712778c30710b96e321edabfb8f333505cce385437769996802e09b67365e4398a1ef5bc500bb063ab030339eeef13c19141a24a231

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0c81c3b89ef4643df71e559100c06a2b

SHA1
bf9369a3bb3909e0d974ce3b74a24105e3ab743e

SHA256
846fa51b36f7c7d31a73939766bbb94af324d3951750772af30371a32982c95c

SHA512
f8157d77407c67da544d1017b52d06bc71555f1f4ca6e78bedefa441c51d45e44dfcb6aa08a1bebdd2eff4f98c1431dbe01a6a160b8ff09e138a228b5f60e7b0

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
ac72924520dd6110ffe61fb8e726284c

SHA1
6a88bdb15a8fa20ef330a91b9864e934235382ce

SHA256
cc9d0c97a6e8bf39071d2f7d342b09e732fa8b37b9dfb6835b0e250196a38110

SHA512
43ae769dd7e762c3d8513df9260965bd52b5551c4b9c1b0989bbf5e31a39c8069feb39c87b2c10a96bc4fca2f393e667ea26a904c4715ac2bfa6934462584546

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
b11885237dcc4d8953f8957c2232c97b

SHA1
b2e9b90aae90b32b52278ce9df83a888f9e96249

SHA256
dde6459e0a768de96b1bdcee0b73f4daa11d881c67e0ae887f7e0f90da5ad2f1

SHA512
fbc5f2a3c9924f8c247a5b4d0a45d2bfcd2f87b29a167a12bba72a627651fa9f13849ea854e7422af0743820ccbda720ab6f144c1e79062d374befab9e9bc2f5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
fdf1ffb64ab6cec8fbcf3cf57b27960f

SHA1
11ca22fc521e512d57a11841d967287ca3b94c89

SHA256
fc4b4fdd623b36cb1918871726bc166607835874a83fc7c343c3a8debef1c5ea

SHA512
61326ad615a7de103d15b7441d3d3762fc64a4fe5fc936793d2c427a382c7980d71ebd83fabf7dbb3760d2e672e87d2a500d4eccba5fdde84e8edc7b915629ca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
fe7516b2af67a3c114a30aaccea5801a

SHA1
ae079bb7409068be553e14d59e56845decdbb620

SHA256
c2a516dd2bba787d91c62b552918cd46b04605a1e55b4e5cf0260dd79b53e488

SHA512
a3579e8fe2dceba0b918fa71321fd2cee8fa8109f6251cceaa4cced242fa2cbc22cbc6080104a9c14cb252e26bae411dd766361f8db18603ce39ef4088692a96

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ca0173fa41ba28a8d9cf604efc185a37

SHA1
2bfcecc001b63a5b5897c1492c2ab61306af099c

SHA256
5406d7b4fe6093ea5ebeaf61d6281a859108d2ecb92a90b7811c4fdadd04f719

SHA512
f8da71abcdff1753a9e60d47e0ad6ca69df38b573c73eb9e0903fb2ff08c46107940d973a457896b3adb486bbfaf86c71889cf2980a60a705cc7848f8d36ebf6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
0bef013567cf978094102e3b9687779a

SHA1
5f011890418a8303c426862a4239805ed98675fe

SHA256
8387d432c42f0fc1e09e3e06a93c98ff07e8973d5dddd9b4ef723c900b547875

SHA512
fdfff9b1ebf8c222378e5d9b46c0bfbe842d3b853989fa6c1c1567aa55d84d6c23b57aaff9948e9adf299b13cff978cc5c50903e72db4d73abd0a0fa04dff416

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
204c7f31f3c9c014a95a277baca8a104

SHA1
e89d0c9ab3d2117ecbe36e9ea2b263e66eeeebd6

SHA256
098e35b4ab0a1f7edbdfc6c7f0deb6ff77fbee71ce0469c0e7f59bdc5c963fcf

SHA512
cbb2554d2e2497c3319f6510bdea7ace2c6e7e49c1eaf0c9cc310145a56bf8128c0ae4b94f1be8e2b4a09176055e19adf3b9023d99f18deba683d11b6aaafa32

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
5e81f31a109ce1d853b72609e2a3f57d

SHA1
03b3582937588544ee24604b4e6c0b93d8f31676

SHA256
8c417abdec64dd9020df9bc5c85da7e08343ff28cfa2d618c6683c74981d4501

SHA512
da7126d8a696e389b34da3e2e0fc550f2f1b45b545ece047ca5364629e8dd6c4e31bf172c4fbc605eb9a58517c627550247fb28dcb33e6551ac8653a1926ff57

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
830e7406d009cead11e68653bfb2571e

SHA1
8e4969c0c70c63bc2e557eb6d384209bee2e54dd

SHA256
a0fcc6e3da4e8b8f785216b027d98affb64c01c97eff72851f28b792311204cf

SHA512
d0a1bae8e6a8c29a9e0958415af5aea33121f4d0a28df3fe83660f1aaa9ec74738b9ef3608c89212ace8b70ce99dfcfb497dec1a9728742c12c977f987edd8d2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8f5b6fc5ec9983a364f48c5182a815b6

SHA1
6075f8d7b0ca7e10ca1435f36c432a8b16f9257b

SHA256
92311ef0d79a4389c5f2f8b5ea814b31f5eabf18b67429755fe4d425a35c29f2

SHA512
afffac8c45a25ea4299a6b65bc811d0590c6794a220fda7493af8793308b7ca0526d710296aea6b524542c832a17008fa6c7ba27c80d9471ef28030968be6cc7

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1175d9bd4d51231b4453a5f30169d800

SHA1
c3d927b8641d2f7c91bd65ceebecf4703f1b258d

SHA256
8f9745d5187c71207f649f6b5b8ccbfbc47959c32570a4301c53c2bf17d400de

SHA512
806637d5f06fed2b6937cd8d0b0d547c213c6b20a25efab1f5ef815d72746ce62383ff7ab4a7276f6230fef7e09041530c01b06449f737e7c8430afb75b3f33b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
ca5426721e1f8662167083e55fdbfee6

SHA1
7b9386fcd52d03e579a3a089b8a541d4b9b86c49

SHA256
d271e303c2e232871548800567e3826fae3a58bea09e3ca56c7389f5d8f85856

SHA512
e9b4b53e83b98b33d4f1fa2420e1331c6e616ede1d43a59e36362445ee70c13118ee959a2bc6526ab0d12efe98f525bfd0743a51f6daac99593106d60f4212d8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d38152abd16a39eeb857601de2e948a8

SHA1
a8df716682579d5983ca8c1d0a69be2f672e7e82

SHA256
ca97747f09366e4e02089a68feed63a3e293b61fb1f14ddb99c2cbbd623b7fb9

SHA512
4b7fc5411286a5f26860b340160a16dc242361786ad79fbb6f84826fd5d82e8f9e603fa2c40b88dae9a89254d8e92d3c58ae7560546a54a2db505378fe1a677c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
83e0483e1937c4af57f4229b7400b39c

SHA1
c5faee1451959b7dc822cc5beab2c0319f423b4f

SHA256
8d77c99204f7069de5e81bea8a2f0f9f66aa99edff6957ff4f936bbb6c075622

SHA512
cb574c184893267d157a14993dfce4eb61e02fb638ec22286fd0b7b117ba9358ec6990216a9d47a3405778c9a35fe26ebab184416a7f0187c39ba60c8a0c0566

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
faf1a082096f2ebd050f7dbf5bc6353b

SHA1
5f2f5da4ada8c1d09100781fd0e709a879214167

SHA256
2c943c6bbcd4679fbc6cc72afc5b55c9cf2f29a8ac2f100ef5443e46b01dbe53

SHA512
06aa8a1c5521f99edfe48c4d341bb95fba5581c8c7eb6d1ed148d233f49c96a16b9bf052eb3bc47c3a4aa03063015a8c4cc27622e7d664463e8a028b906662a0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
54673edd707fd256fb76fa905d75c0de

SHA1
d5b6a79074b0b04749059b99a2240d74586a79d3

SHA256
076fb1e9fa38d909fc7509b26729d97d1d3404ff1123f89ce6fa36e0a139fa23

SHA512
62ca601b7451fdbca08d663a526a1c0770a4761539fc125bf84553b920218277e55b6caab5a6e957deaa11d499f54fc7dd4cc005420b82f3798169044b471ddd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d91a590a42eeb704f9ea6e0fc0791c51

SHA1
b61b6052682a1b349f5a6cdf44a5a51a756bcc6d

SHA256
f117af9aad1d0abe32fd4d4ec1e2d114d381e64d2443ef8e369766ea2b24c3fd

SHA512
7c9283dc4c49c1d6f4e6955297964a007dc670e47a5d3f059b0189c7bdd6a7660df4283e11cd4a00c13a5be9c786b2a59fc328aa91bc5e270088e82e44e813f3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
23712da18fa315f99d77827dcc17c4db

SHA1
164fe84ab3b6ebdab3912c03f5c4f2422f7d7f19

SHA256
f323b587743dec83b532de7a92813a7b4545376c5c6514cf1242821be43912f0

SHA512
6129132b76504d77789e43d65b5ca341f676b30e3ad62342fe512878080527cfc1ae7cd2567028e64055c793495b7c4b5c85202a3be19fbc7b4ad64e0e1ec309

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
92cf0c728749a222a23ca1f1e90ce661

SHA1
7535561162b61bd79330ad687e3cd651d51beb2a

SHA256
8643c08f4f64869f35cd69114ea5c0f22dc058afae0386e5f1c35d6df124cda5

SHA512
6f6306aa335c3e4cdf991e3315c148f86a3d640a6869ecb476d802752d413ba7ee65280ccc8ec837a58559ede117caea4e0774c603577e284b26a0294f6013ee

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
92fb0ae8a094d2e2ff3ab42dab5a780c

SHA1
b773471a08b483dbd37230830dd3661089e3345b

SHA256
d50cf057da8b3796b2dda073a81aadf86ff9de1de3a31edbe085c41a8da5c0ca

SHA512
4b85d6d7675df9e9b51ab7c470e5425e3643aaafcd09b71e242ad9609bb881a8248401633f1c46221a3fe80af5b37064fa6bcde1f10a84cd98668afbb43a1594

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
874a3a8b60449bf686b7aced133788cc

SHA1
0b1d1661b283413aa357b0abc39ff65d190e84be

SHA256
b23fd1712b999af5f7ade50a5ffb7a106ef06fca074e7a10eacf1ef8210a811a

SHA512
5296f2cdbe950619cbb8c8bcfb476fc88f416f6275a65db20d9e7997701b5c5631aebe62a1f751f739ba567171d5baf2c1e88956bc6d79f59d9024319d440a60

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
ecf2b867184c6d9fc4a8ff91a561367d

SHA1
44a2bc043b2476386c4cf99fa8a3de895621a596

SHA256
6a5cca9a7345ca6c6fb22f9aa7a6200a1b20db7600bb697c899da2d936a05089

SHA512
b0f1f79354bd1c57f3d427e4fc17dc70dba491e175f98d5ffabefacc29de9c116409b2e7340cf126c225b05c7d58937bad7fdd191ebbf2472c6143830bbb4609

Download Submit
memory/664-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/664-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1168-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1168-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-629-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1860-257-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1876-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1876-622-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2020-237-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-623-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2096-384-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2096-161-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2428-80-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2428-1-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2428-6-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2428-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2764-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2764-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2764-97-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2764-20-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3104-81-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3104-72-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3104-86-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3104-78-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3104-83-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3288-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3288-98-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3292-533-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3472-120-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3536-236-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3536-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3712-537-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3712-197-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4336-178-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4336-530-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4512-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4512-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4512-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4512-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5076-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-43-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5076-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5076-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5148-109-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/5216-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5216-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5216-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5216-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5244-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/5244-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5244-127-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/5244-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5488-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5488-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5804-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5804-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6008-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/6008-491-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download