fb7f69bcf622549f1ca578fdf936d6c2d834db7def2ba46131cb46aea616247e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Size

712KB
MD5

ad23e5462a17029474bbee4b53a74cde
SHA1

22992ae27136a15a14d105297a44c102a898046a
SHA256

fb7f69bcf622549f1ca578fdf936d6c2d834db7def2ba46131cb46aea616247e
SHA512

fa714bed969806ed0226300f3779b1a079534338088acc65889971776afbd43374beda1308f9568ec6f2108f5235f34f9e6687dc0bd3acc039c7d129156bd88e
SSDEEP

12288:QtOw6BayU5VFWwHiC4mxYr8PCAwQy3KVMsMWsYNv+0kHe/6eZ0hW4:e6BrwH/BYcCAwQEKesf/NmLeiTd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4752	alg.exe
400	DiagnosticsHub.StandardCollector.Service.exe
1848	fxssvc.exe
2444	elevation_service.exe
5096	elevation_service.exe
1600	maintenanceservice.exe
3104	msdtc.exe
1892	OSE.EXE
3720	PerceptionSimulationService.exe
1092	perfhost.exe
4100	locator.exe
464	SensorDataService.exe
2556	snmptrap.exe
2560	spectrum.exe
2596	ssh-agent.exe
1496	TieringEngineService.exe
216	AgentService.exe
4740	vds.exe
4616	vssvc.exe
2576	wbengine.exe
3356	WmiApSrv.exe
848	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\efcc5e38bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d67d01cc1aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006efba61dc1aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000022f971cc1aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000258b341dc1aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e135d1dc1aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cce6b21dc1aeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe
400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeRestorePrivilege	1496	TieringEngineService.exe
Token: SeManageVolumePrivilege	1496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	216	AgentService.exe
Token: SeBackupPrivilege	4616	vssvc.exe
Token: SeRestorePrivilege	4616	vssvc.exe
Token: SeAuditPrivilege	4616	vssvc.exe
Token: SeBackupPrivilege	2576	wbengine.exe
Token: SeRestorePrivilege	2576	wbengine.exe
Token: SeSecurityPrivilege	2576	wbengine.exe
Token: 33	848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeDebugPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeDebugPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeDebugPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeDebugPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeDebugPrivilege	4528	2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
Token: SeDebugPrivilege	400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1380	848	SearchIndexer.exe	113
PID 848 wrote to memory of 1380	848	SearchIndexer.exe	113
PID 848 wrote to memory of 1224	848	SearchIndexer.exe	114
PID 848 wrote to memory of 1224	848	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ad23e5462a17029474bbee4b53a74cde_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1304

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2560

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1380
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
48cbf97f32c715dea1368fb897383c2a

SHA1
c4307cfe0ec59940aacbe26ad8285ad5776cfec5

SHA256
025a7a881bda50f55c55a3945960cc735e20a3b0f4505705a45a2eef84e6661c

SHA512
cb33c3a1a6e5f71e6575c680ffc03d2dea8cc1ec8c8abd34e0586f049be6a2d90f7d3df09978604055cc3688667c1fc5d8f696185a1d0061ac1471a82522ef77

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1bd034392136f4fb628fafd2fab1b978

SHA1
1d269bae1ede6140d4f22432db7bd6b4c64f9ad6

SHA256
70d30cc475927754f251e5daa72b11d30ea96b13e2ce247c080a287029c5708e

SHA512
2145b9b74697e9ef07951c46e8d4716f9e723c581f486bb2035582543e72b3526d09d9135d8af25d996c1d6b789d2cdfd49d14fed1db73486068ec7a45f4f64f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4341bf6572c1a69efc9b0b1afdaac85a

SHA1
d54cd51920608468e0baceaaefbd769b63ecefc7

SHA256
9b7a0bcaa099d0d28d888eb6f972524d304e16498594fb31dcd822efade2e67c

SHA512
952e9915e32b061f466d3e4c316f436f7ba67c669f6d982fb8ab2c5c3420284466ec48b7b228baa83267b8c074efc36b28096590d0c38ce88248c65c2f001c08

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
779a9ba9cd1dae3d9a2a813b48146db3

SHA1
291a218487e2e7053cecd661132628b0de232e71

SHA256
cb60bf07a21645682ec89b6ad183d49a7280e8db88ae1e71a3438a1de2b4974a

SHA512
5746d58a93f01ad3cfa7681a6fa18dfb6cc99cafbe36960f5efe6eee0bf85e4395f47fc5a2ffbf1b1a505514894f6c1c1934f28d059632e0f4e4c5ad75aec018

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e0a7f0eba4d75baf730f8035a5f0537

SHA1
b97a522b946adc08738b597720c7e5cd7241a690

SHA256
8e9729658421b59eb30b653293088d4d7e038bb5a63add7698cc1c3fee3c6f97

SHA512
f51aeeb2e68dee861a37b3321274f9c79ca52dc81510e22ff8b52df00514f248915b1790895c279d82a839408fb8898476d0f28864c1fcc5098a66b98e233230

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f039a3694bb124e4e53bc47ede1a8f81

SHA1
0763f213e1a349770c419da94a59d165fa295f30

SHA256
c391971ce2e046b992ed64e6895b1cfb44f7ab642ac796cd15281d8980ffb31f

SHA512
181606558ce5111793f296d61e15812bb2e2cec27385a2945d8939ff49cfa6e928588ac72cf050dfabf34ffd0b1479f016b7dd4b105d29bea7ed52b620eab303

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b3e422ae9371b22dc223ab0c09fc1464

SHA1
a5ff8732d6e43431e6db0ca6dde299c8601f05d5

SHA256
01c04df526257c6879777b9aec647a5ad4fbdca67977e4abd34cbe0a125b8589

SHA512
4551aa5e58564bda3a76f2fc3a679a7d8d79472cd928130845ec46ab3052ed10693ce8d9491bf050c9d4c08739bb42776a8eb4631d793127a4526938e9562a3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9508278a72b038e51ce3810b0b351a02

SHA1
30156f23955edbdfae79749a275f7b4cb5b5e859

SHA256
7e00c7aafb0c04f0e72f22f10bd436c01a8b29aff23a74a2efdd144601612ea1

SHA512
6f94d76720c86ed912f05bae4052cdaa53516dac2e492677dbd52c9e1b5756ef969dabebde6ca8e58fa40c2a1bc92c01b044985c18b4428a2d0111aa432fd9ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1809589cf034d5b1de0d12c3bb4e73e4

SHA1
4608e348226e2dec967035519248d41f95dcc8e7

SHA256
e3338360598593e9b7c60e947aab669a3f1efb649b0d897ffdc6f27af95a9374

SHA512
7dc0d2570986e051ecdafb909863308f5a756bfbdd20f290aef2dbab0d5d3b653053eadba566a98010d09c939b04a0123fffaaa0f800978ff21f224c7c44ef69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3852ef7bd51afcddd6b30365360310e9

SHA1
45c35f7a55bce6ce5fd923578d75ee1f2aad132d

SHA256
b70a147a4933fffcad67357320f2ac1fd201849e8014fee778a5659ff856308d

SHA512
f67941e1709f1e7831ce4aea1acbdbace1e8a454a302e133e8f5316bf318509a83367429d50b176f8decec274304b785c19fe0dc7b601fbb65080243e1957348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
84060c50acbaf783e38c385431bef126

SHA1
eb8a3f1fbf5687b34e708cc0bd19069ae0c327da

SHA256
2e11f51d0dc57f45021bf34d761ece51be289b81db1b788c25b1d3b1e042c412

SHA512
d2876c848046c5c8ec4f6ac473acd32e76d5c15a6df678fe5bc22a312d1a101b39ef3d9a69cb86e24056ab2d8334fedf733e0f97b51a334db6e1663f2594eb28

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
453fc208776ef375149bd8bf3e3570a6

SHA1
6eefd29a31f1d0fbaf11aaf206f486dc8dc26a7a

SHA256
a88eefdb9ee42348f228d1b5f7fd4d017914b6c813481d930a668cea96e2df98

SHA512
89de290a8cf91dd0e655b3299d9fc31f3460e1471b542002d10dd22e17aba332596384cfd59939b05fa093d9f67f0796f7a6093ebad4d026e0cec0864d9f0331

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9a6d7c6e6e5045ac79bf3ce60f7a5477

SHA1
aef2fb7eaf05d18185231112a6b5e5416925a5f3

SHA256
e939edea9b02faf01376be6ade0b1a808a7e681cfa02c4c9733678f6511234f2

SHA512
91e817125c1d39b98b9cbec5642df5fa6fcea1d9137c0a6c179f84ffd4ec5d91543ee9e1e527abf5a256db0bad5ffc3b0d80a9c56d85a09132f0cdeaa9f45ab0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e549b5967508382592caf19d3108d2f1

SHA1
129f8b418faca7a815f19b6d2ce673bc0fb801b7

SHA256
9f8e2ce5724a2e48851faf77471188dee931c952cfaa90f4ab2001fc48f01c26

SHA512
4437110f62cddd98033369427cf40c00d26ceb5a7f831c8d5e2a895eecd8bae37e224aefd575a4ef8026cb71877258409e38adca295767d37595b058fe1f4cf2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1d9b019c2da0867aa1745036b32ce3f3

SHA1
31dd9f01d693e78bd58ae819f1c2cb6de7211c81

SHA256
08b63af7eb1bd9a400e6eb8b4edfd9495e45d6d73a8ada4a011237adad4440d9

SHA512
2595c6dfcabfaecb9b53dfc31aa13ebae66eebbb5b9a09b22d917c8b5244cfa7a8458a502267219f3e43093a1c52d10387d0d2cfccdefa892779982867a8b40e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4fd8818d6422f68c061964942459b990

SHA1
fd13bef7ecb5525b84b59bbe61f1e00d59bbe475

SHA256
ee4abd9aebf9aa1598bd378c80337ee1d4abc6d77b0e34de144a3be53f45c0c5

SHA512
cebf64557a88a51cb571365f89401185641c830da16f6eca7b431b91d609a961041fd006e9184d120f6111274e0b83b89bab884fc676f267dfe9deb089d19fec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
47c959820cee25078349dd7bf8ca50b4

SHA1
3fcf76e54049fcd584247bbeddf19e2cc4aaab9f

SHA256
d2e7b7eeee083d7ec384e9e5096590ff8032dd6f33680236f79aaeccdc0aab57

SHA512
8b920dab7d8535ce1767dffbd3dce7a3e300a8b6f95a2a266613c089440e527df156b1394d291110e96d883a43d112fb8107daddc2a20fbe6836110ecd6a0b99

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4dc496c376316de86b84ef1ddbb8c56f

SHA1
63c77f3791fd8db2483ae22ce1e320b47ac0d054

SHA256
4fc2b7b18f5db6d2bffbe0141815a496f3a5095e211922a80b8359fcd8df962d

SHA512
f758eaa752f899595b209caa9e9ee8259a4d3262f840ffb37f2662a1b3cce02dbb3c1690a124956092af0d485a24390b4ac624b17b9c2f0d2f706941d96a99f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6318d6bd0e0856a59655f96beca3d69f

SHA1
8bad843b2fbfdc91106c0f75f6f52d833fd4c83a

SHA256
f70c7f1901bd6c01524a740cd99d878558c9720f3ceeb71c123bf814c819cec4

SHA512
6e2a1bd726d8531cb2f96775b358e94496fa485e1f4cd0461be7d3f27f32c1d533bd73a21f27188509c5b8194671dc8328593d17082d10daefb6931a32d68532

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e0895dfc220552e42201634fd5062744

SHA1
3b62ea072ccb27dbdeb4c61fac412af4de37587c

SHA256
60306b6386695c5df8e5163159df9934126879a439534f30546e0c0b38967a0b

SHA512
77aaf930381093bd9dc006a80daefe84014743819023a59ef68ca4d06655dc72ea062a502dc0ec215fb718f0d9cf172d1baab152600e61443a13e1f0dbdb2eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6f1f3e6c58133655c1128236c8301573

SHA1
dac3a8ceed9eb74704bc820ff73281e6b3a3f30c

SHA256
280af67de4708d41ae1175d74f04a88e4672e6fca91e06cbba88ce21c798827a

SHA512
40554998304be852e74433f58951939b90a6d13ffe72ff8714cd0f218a25c8ae43b3bbf27abce1bd377664dc5064904038f44116e7f45c780dbb58f01cb75d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
27a315c42304d4127cebcfd37b8b07ed

SHA1
59cf1aca530fd18f28cbb9524461cfe0017d7f34

SHA256
1b5ee735630498c886005899d31b0a2eabf6dfc6174f6d98945e54c9e68bed2f

SHA512
48a877e9ccdb39e87ef8d1ae604af89b06721196557258a52a7f3203a95e52e2bbb853b4f546685f48b26a12139eb31d9445c77c4b3aff1ef2e7f2e94d06984a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9df74e5d1ec63bab8f2a88da45d2d6fd

SHA1
ddadbf903280c654b4961d1388117f1a8cda1351

SHA256
1d035e5945f801bc0682af2a3cb6fbdaf055cce414c564c9d4fa74b9e8b83022

SHA512
b135da889ab4c96203d1be9a2999a5a44cba8b6f7fc86b7c5190740c625538bcfb103f7ef3c15a63e82303abd480c2883e3cdaec29fc30b82b5887f26f462288

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ab4d6705879be14fdc743aab59b9e108

SHA1
dfec6d9e4cb3f16e6d9e7b6f15e2c75d17e72f41

SHA256
be20c4937aa825cee83ffb9b378fef228c633cd7dc4d385ed3e331207fe6e541

SHA512
3eaa70609d4dab87a868f56d54f15302055fd3df0c8f0cf27098db24a49f1d86c6159034a22a3097519b1ba11a0c7ad6f8669a915ac58c60d9adb2b6b6b292d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7bf9fadf5ed57c076370ed5cc2bee08e

SHA1
6e265cc3bf8b89901a848d6c91a75b041c267027

SHA256
3e0825470a5e68a94fa11b5ff209f45cb211a1b8fe17338dc81cda2d98ed5016

SHA512
91624e5af8bd0c4e0c7d84630364a3381ed202a913ec208ad46a5d0a587c6ee007b68e0d3cda69575761cc556d9cc6edfc99472a84ff5647d51a574895663508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8d2f61e600c8ee2636cb5970222bc5cf

SHA1
89ffac05f8ab39f9ca486824e851cbbdb5886184

SHA256
efe75b00fbd08e22e12703e570947b469fa7327ad630580b15ff0b1c4ef8d163

SHA512
d11559ce2a7c3ac3048d2647cc9f2e2bf999c39c67b5596d9dd148e26afb086517c6fb2178770d522deb61a3cf11a62bfac1f7d5a426edf3beb2d28a51491abd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d2e44d3c9ca84f5905f64cbad3aada4d

SHA1
971bd860551311e9f33d1d73cc8cfc4254d8abef

SHA256
39d88fd9406610f2aa70f94a106f70ee7eb2505f4414ca19c5703ab576c83631

SHA512
6da5f6f7217ea8da9a1fbe90576d46d32e77244d5c42857d6ca8d653b46fa7b2b54ebbc86af25e627aaf3cdaff5201a112deb04bba6328abf443f11ce83507cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5153a96c4b0e4484bf0bd33dcf7628e3

SHA1
dcc576f3e27bd8c9cb8380d497850a14bcd36b65

SHA256
5762a386b0fbf35404113ecd54c469c136b0b8affd2e19b344169814b6c1fecb

SHA512
204b1673c4ce21c78bc515da11b67d99c6d1f8c5fb82c22c45891d5c003bc8bcdc27e57faed0094d98a7797bf3c24da07e4c5afd0405495e1095a60cb8966da5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3abc4d2cb63e6caf6deb6a4b33122893

SHA1
90d036d926a94a12739d064959d2af6983cc0098

SHA256
c7a38957811c8931f677c309c858238137dff0447c020f0aa18e045c32d98b79

SHA512
fc5df84b1f4aa9c459e83dedabcfc96259f22a2f0c4413759442bf3e54b5c2adb6f6aeef9963ec22dc6f5442311599ea868a5fd2fe663122392a2e343b3608ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b575a7426c9fe786adf9615280eb6173

SHA1
23488b664ac80610dbb19d979221b65e0f6f5741

SHA256
572b9eca4849dfb207d9a18b7c6e7adadf9c2d165ec1221af7f6abebc8cccfaf

SHA512
55b09673d3157a424c4c5eb3eb2329f1ca5e31b851709d4f96ebe43f91013088f88b78c1430a933b79a6948eb873049b21c5abd66be5a85ae4a05ee90b6ad0b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bca891e710e41a9e225a52007e7ff680

SHA1
6816cd8bf1ae89ed050cb201da897e1424eb17c1

SHA256
7a28c65897c8dbb3628b78fb5b588800508700f1780d2b99be76a1267f5ef61e

SHA512
3f0d97dfc446d9fadb4c5d5a175aea35641ae7e79f4fe2b16007efd093d4cce03a047dfc1785b76ff9520930960fb9049c96129093b857eb2953011f619075d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f1957c7f8d10cf0635b611e51214a97d

SHA1
6b114ce03a4a17a363c0142287c3120e42c2e25c

SHA256
4915073453086943661630817373bf69e7bfccd8853fd65c51bc33eced250ef6

SHA512
58dd77187a7fa6a975457b01cf2587c27e7dee9fefa78d1cf845ecbfeeb3f44e8e2dfa9890e96684e0f5790e76588e293635e938792ce26ece1ca14e97b91f5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a1c2118a0ff32700c8ebdae9b7af3a04

SHA1
86599da6d216068b0e2c31aec714dd2124648e6d

SHA256
8217f2e60c637209b1755081f11111f992aac1bacaedbd1fa2ff7e84c6ece4f2

SHA512
662a1fc09434dbcf80d8567e908d9423821064ca0e56ef3bdd00f322fa286e3f0eb82203178fd5910e663f9728b8236dac79081abccfac31c4cc1aca30e37e67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ce4f8b6b5a86c9cc801e257809c5a6a4

SHA1
f6e2022f3172ba8597fc72b37ff5f4384ac32eef

SHA256
88c2f54561b1c0713c7fc93652b168743087f0d68e8b4ea20c580d871e66aae6

SHA512
577aa00b357b556a3a4defe3681b45ea98a47c4c592455995190af4a96cc888a11d597fa967f129640368a02a7fe03a37d3af251ff89c7dfdcc7dbb99993902f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a9d2874faca9628a3c45404b5d3231ed

SHA1
ab10192dcc23a51a1094821218bfbc605f69bebf

SHA256
e54ef197795d2427b365b0eae481c17811d5d32d824b7825e4798ead339b85d9

SHA512
a0e32d2373e8e6bb2b042f927bebce4ae394136f65a3205dc252331902b0cd928bc351f2c0916499a2c561dc8f76db95a4f82629af9d250934029a5a88095ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
08eb818e2a2b657ace0b1be0f1f445af

SHA1
70186679a7540a605367d8e0727a027171ebe6d6

SHA256
47335e4417083b78b66bb561e9da402881b856ef15e3421103c5e5eeaa851dd7

SHA512
dba7f35dd285def56b81706bc01e0f11acb318f664ad4a0d4da07cef977bc92d191956153a7af576c8530b8126e2407d2a7bbdf9c138a5940e55788c4f3a5bc0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5e5fddf794bbc2578646301aae79898f

SHA1
5eda85400f7c26353e281e24a92e4d93766eead6

SHA256
c6bf9368d1e88881f1ea6149bd9befbd796bebbeeefbe0ec1982b5a41ec83293

SHA512
c8d488c7f97bad49811d547450ba7e701e853afe46a6b5fa595f9161d4730b3af0ad0836e312235889c855dfdbc3924849e76a6220b41b7647b95129ed45d79c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7c4f05f79316c2cb4c1b23d8428219a5

SHA1
a800012a3dac8a18095d45f5d3125738be7ba7a0

SHA256
d3043ac097cb4f841f1cc541b9653534fdb04b216ded2fda998f94988d008762

SHA512
a4fbf7b9548fa35e6f5384940573f7b3571ab4ba00ab96e059fe69533fd29d4244eb2ed7b03ef88f6963aa7372e554829181953f4fad1472ef568948be608f2f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Filesize
8KB

MD5
0a807af93325e1b7e41bb3292bf958c6

SHA1
b7016c7a3c8e564be7073792203c41493a844e3e

SHA256
16b3fc2dc87df0559583948b1a11816479aecdf3cd4579090d340784fc677ff5

SHA512
6b82b8b093704c1dff87cfd65c38fcdb8c97d3dc77dd1ba91f06694ada736743de1b1291516d76bda00c86245f28a68a7bc1f0816e8e5038377b56bad4c581d0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
73b9182aaf8d90febf0a0b0220b845fb

SHA1
46e893ae50e52cc27cc6df01d14af4eab914f46f

SHA256
a6f281970ada32a652568592a3d8bb771ae60fefb8cfbc1cb62ebb501c2f9c7b

SHA512
0803ab9e6acae6a1f09530af9508155688cf8355ae5673b50335fb6f482eaa6f01a28616324aeef3f9cb5c505045b9215f5212840e8008e1aaf2d9eb4945779b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
afafa0d3dc4c21c9b0ed6ac0755c6266

SHA1
943f1020d5fd2c03e29180a07f552445c401301f

SHA256
d7fb4735c7e9649785e677019c3bbb983266b36c484ca488cd189d1523e987f1

SHA512
de742425e2f0cc1532f5bfbef3b2ea575ac8803c9740b970c01a0818aabaf4839ed2410a33d147af5b3d315e2f222b4358ca570b0a98761e42c0470ec99fbb29

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c4880b544b4077693bf1243f960c04d9

SHA1
ccd3b0a3688c59558ab789b33d16e40959f1bd75

SHA256
2ff20659783a16dc7d8400e5d0f73d29334de22c05809b1e2d3f7938c1c1ae41

SHA512
6a16407a675511ef4aa7018841795928428dbc717724cc6922b447475f07de3e21bb82da05ba84dce687a4295dec4bf3072dfc656a6583b88fc263f0a2dd5556

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
767e34156e09ce10864a70ae5088d138

SHA1
9c230d399de66741ce4babc7df1ddccc4636e796

SHA256
8779762b83ee301ae56dc1947d713dc648aee868d52a128b9f4acce9898adbed

SHA512
527191465d266049caab313cc1df6080efcd2c036e2fcd9b9aa62fc342043ab80eb8250d8cedf5ca8c0d86afd5158c4ab68cad50d3c3454bb40cc0cdd7e20a89

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e5d98c4784f2e4c8888e3c1c34f5c27d

SHA1
b1740dc9450403be220ee8389892aa5b3b5ccaf5

SHA256
5061db70abbd09c2716c215c49b8587e1273af9808c6a7ef40ad37009a36d315

SHA512
e1df26b2348e14a8e083930191df90cf5af422dbb0b7df14c0029abb77b2d30dca9225ab082e2b6cdad0da8c3691fbe666e91e14178e89e2b91c506f6650265c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b92e04ef0ddc0890e4153ede4eab1301

SHA1
19312fc8496d534d4a4d3f69451ac3c81de84bd1

SHA256
90930d3f2a7301b56a96111f5c7bf6b9c5def54b7fed9e6ba9f0e3a17d73658e

SHA512
bcc3ba20b1895b3d83aef05b0740cd80986018918800702efc116237c3f5d43373a422ca565932e5068f4f5784dda5197bfcd8ff06d9a7dc2a74d0d735cccd40

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
81dd390f2eceb6d7cd4ec9da7779f9b6

SHA1
2f9bf9d094c90ae57f00aaa5d613a7efdff2060a

SHA256
f20471481268877e0d108ac6b8302ad714858b2dfcedb88432ef67a6ff8ead03

SHA512
37b2e3c07de6686b6721baa9cc8ceca82a3d2ce14e8fa29bbe981826f1dba7cc13b29e593539487b3e4587441b42fb5f26e5251b3e315f054b7f043459dbf222

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0e4d6b402eb1f002d22468b5aa84a36f

SHA1
bfde990b4ac278727f13e7bb7c4f384681a84044

SHA256
8ec7af28d7d70e761133b7e45edf20ab206c5b6d64f9ec59c1a31635d494835d

SHA512
97b99c2d55327d2e8fbcf130c1e0b0d0b158a89d8df4ada07a0903fa29e5068c39bba6b623506ac72d080dd462e0445e632e95be24069753f99b85dc1a0c4b68

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5935ee59a2970274e9ce958b5c631afb

SHA1
5a9ab4f72621f48cc9ffd2c3aac5175e01c5e951

SHA256
98481f84da59182c5a0a66c8ecdc314bf30eae322e4aab9acd836b12501f890c

SHA512
7015e570903f5fe9312e1d06c408d9666eec69a3c6be1cf1da74c608d69b77edfa6e6cab4dd0b17f78e52ca48aae735343bcd32e0f51c49beb54a18ffcd9cffc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8c6255b8df849c8c3ee4050d48d99fa8

SHA1
622133b011636e52a2dcf79d8c76880d23f0a532

SHA256
4f6c1d7d4b2c2a2bfb6decff3e446c290b11fde708c1045e77e93c11d82a256d

SHA512
7f0f914375adc248b3cb030a18ea4530e0559ffe2c7415002d13300de828b59ebc7309c284866ce1816da181d1dfecffb7a37d0a55f521d3844b82e436536425

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3da9db00483d7688dba27b4d5f740d89

SHA1
c6db58bcd58603d083fdb190c9ec82c7891185d2

SHA256
a522842043e071d7e94813f2ffb495a2b050c38b47143f6a296482012cd2f9cf

SHA512
9fa3ee73cb45e73898eaad1046b20ecc0ec1599b5e475f3b650d83f52d5d08b6afc6c3eecbcdf8e7fc8946c834e9b2b4808ae1c59bdc4d8a2eb7737c9013de37

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
835a94c9e0c9b6203457e6509b3092a0

SHA1
2b3fc1c65e334d405174be23f42c1ad8ab1eb0f7

SHA256
896c01692d8afd722afbde14e0c7e2d2cd7e6c67956dce1f4ae6eaedbcf998ab

SHA512
197335bfd161f5ec15fc2f389674d8d1e31b0b8923c10d4de733ab8c636c378e107f7fb7f3641fb2521ca3c801f95ac91f5ccdd7b8ba6f7dee552ccc5cc2c762

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6d4bc7740caf072076e3b6c8f9e0f171

SHA1
1775a2d1b65cafedae9f7d8ba090657cc6eb80ae

SHA256
4102821dc25620d3483d7925b4cb1283f1bb3f9c6451a92c96a9674f81bb60fc

SHA512
39350f7533e57ee0bddd8ccb7622bedc9fd0b33e8417ab738eb6d05057ea22a7bace6b9a27b84adb6b02a2c6fd6fc415b0c70f55b67367cfd485074739180d92

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ac444ff7bba7f4d4d9174686ee791e50

SHA1
e161092f935932d6599bbf3285675ff4482dea25

SHA256
1f82a2f01e3664a6011508c6a99690199c7cfe817878633d49c4f3b0e433ffd9

SHA512
65312974d633de8856497066566d94b5865806577f84dd16fb08bea1db6739757a74cee82a92e25d57c245e31de80fc1ce6555db633718f1e96048366e37957c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d9ffbd99deea71df0167f708aaab20c7

SHA1
931156e7c4490a0f3cb48bc1864571bbb022aed8

SHA256
ad72338c91bdd703a02f065c60ba4cc285ffbee9ca233a248481ddca84671329

SHA512
31c76c9874c6d1b3262b6828aca66633d2992ea66125c54d5f18ef7eccfdd73e0ed093b69eb67298a30ca89360247d7b38e41df30cebe1faee9a3914509d93a3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1752138c2c8701324f53833513e8ce41

SHA1
b482a2e95a0c2f9ad684a941511f25556ce0c154

SHA256
94e96d62f0ac5cd72c1282c69ed2b94f9856597d27c2346824dab35f573a6427

SHA512
aab8096a33a6af467b105867e4de3555f70be132039fa77c98fae0e69d0df908837565a6f6b51f24f49c5e844f51f5726613cc3edee6779da1345876804262d8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a7ae51968662b328c78fcda2dbb2a8a7

SHA1
10c51d709e4be11b4805a08aa12cfc39c7e8b189

SHA256
c0b91b7b59a09ea589ed6e592fbf62b6d8079f94dd9620a497fc6a33f937e837

SHA512
8d2ad231e6740167fc064e64e9f9405723cda16b15fc18edc5e538da4c7261e67cd696bf2adcecf79941f83b1842e5ae3d3a961920c8fbe21b75336c90137097

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35d8226ffb120f58c4db471c8f9cdced

SHA1
f2829099b7a3858406f24a2511d979a152a1da95

SHA256
97a4afef75a655c0cfd209b8a9640e7bb0d700707b259646825c16154c4004b3

SHA512
e501a3fd03c71a7ab2ca5264b9e822166d9c72d0c23c813839ea1c1e744aa93fb6712ad95faca7fdf62e312f01ef1423a1b6b8099a5d2ce06ee274d06c061ada

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6e52efce7626d057192ed5bd95d971b5

SHA1
5c3f5caf2d50a1aa4d006257e51042c0375f3d2c

SHA256
9fe94baf52840c864987808ed1d2231bb72c6003877642d37aad8701c5cda0ad

SHA512
db5f2d8443eda0b53eb784ea31907bd0ce287d6b99882886d65b74112afac6db8dd811198454a2474840a90d98dbffc33187ed510ad5f24faacbfd48e1b0c5be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
44f9509568c5519ca11ddbb688ce9ee0

SHA1
d254e16dc7e5a9183f137b315b3a6aed564756a4

SHA256
2d8428c377195c18c22cd1de44dced665a0263f222bba0f44ab6b0b9e880b276

SHA512
e86aac40c6d097ccc42ea0ea73ed37ad2a61029686852c52a190c860eed778f47cc8b79345cf999ae371df1d5b802cd8cf8098c1cc7da12568e5cc88918819d6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0930be603b58319d7ebe3825e03f7a7e

SHA1
58303e11654b60b5ce79cd89252f49b226a7ea2d

SHA256
5df3c28608b0d46868fff3e5fe1ca80d7f7b2d3e3af5fbc6a35746eb18087490

SHA512
e1cf7aeb8c9d9b8e99a5adb9e3d06d9294e8d71097cfbece3b75df7a48a11679de98a747766187c3a8d9938889a6fb4bda9e5de70374de948874c8e227286892

Download Submit
memory/216-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/216-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/400-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/400-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/400-16-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/464-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/464-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/464-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/848-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/848-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1092-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1092-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1092-106-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1092-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1496-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1496-391-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1600-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1600-66-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1600-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1600-54-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1600-60-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1848-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-77-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1892-83-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1892-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1892-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2444-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2444-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2444-33-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2444-38-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2556-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2556-343-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2560-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2560-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2576-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2576-444-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2596-389-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2596-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3104-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3104-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3356-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3356-445-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3720-89-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3720-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3720-95-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3720-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4100-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4100-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4528-88-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4528-1-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/4528-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4528-6-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/4528-7-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/4616-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4740-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4752-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4752-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5096-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download