6052de66cd4fc4de227ab2da7ff38cf979f6002c0e77610c62a7f6ea6d0a6e70

Analysis

max time kernel
10s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
Size

1.8MB
MD5

d830ec96ac829b990102000d1bf668a3
SHA1

d349eee45867559983edf27d9712f172c0fb904a
SHA256

6052de66cd4fc4de227ab2da7ff38cf979f6002c0e77610c62a7f6ea6d0a6e70
SHA512

c6057b0f6e4b294e2dab2eae98b7abfd4b4232f70548dfcdc8e57067ec31b0b081a7a9335ead6ecb253b53b7006814a489f16c41ec21df784aaab1edec8f348a
SSDEEP

49152:ME19+ApwXk1QE1RzsEQPaxHNKs7YSLTQYWkK2/:x93wXmoKNJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4256	alg.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
4224	fxssvc.exe
4356	elevation_service.exe
2588	elevation_service.exe
1040	maintenanceservice.exe
2752	msdtc.exe
3892	OSE.EXE
5052	PerceptionSimulationService.exe
4452	perfhost.exe
3912	locator.exe
3596	SensorDataService.exe
4760	snmptrap.exe
1928	spectrum.exe
4504	ssh-agent.exe
2560	TieringEngineService.exe
4600	AgentService.exe
4316	vds.exe
3224	vssvc.exe
1972	wbengine.exe
528	WmiApSrv.exe
4012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e998288c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000680b24035eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000609976045eb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a54987045eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fda902035eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddb3cf035eb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a2280045eb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093dbd6035eb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d03a17045eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004be6a3045eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054e23b035eb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb5a13035eb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3008	2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
Token: SeAuditPrivilege	4224	fxssvc.exe
Token: SeRestorePrivilege	2560	TieringEngineService.exe
Token: SeManageVolumePrivilege	2560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4600	AgentService.exe
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe
Token: SeBackupPrivilege	1972	wbengine.exe
Token: SeRestorePrivilege	1972	wbengine.exe
Token: SeSecurityPrivilege	1972	wbengine.exe
Token: 33	4012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4012	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2188	4012	SearchIndexer.exe	109
PID 4012 wrote to memory of 2188	4012	SearchIndexer.exe	109
PID 4012 wrote to memory of 4512	4012	SearchIndexer.exe	110
PID 4012 wrote to memory of 4512	4012	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d830ec96ac829b990102000d1bf668a3_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2188
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c2fbb901937cb42d37daea4356004179

SHA1
f680c64e8e98f37d4b8f680708cd2c54c9935fe7

SHA256
292f05b9da65e2103217abb473598f04bbe099e7e806d06bdc0a61411c52c982

SHA512
8566d5d6120cdf6abb81887ee6854328de41ae579289ee43d1cd72ae3d2b0c463204fd289b7cf257112f0589b3dd6d341881f426a507b0aaf94917e2ebc22301

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
448KB

MD5
f30923d7f7492806f60ae1566a99adc9

SHA1
c5b4c3764cb21c40654b73eb63be1845a0f752bc

SHA256
338ec120c87301b1cfd14762890783e0c928f74e450a0da75dcfe9883d3a3991

SHA512
577e0e6cb6e410f6048f49f3f6e24387faed0d2cb023222ef0a3a7baf9cc85e0802bc4638462bbc42c8b588d20cbfaa31e1ac9726b3eae5c4434534ea832967e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1b856151c17ca3ff93ded0531315f416

SHA1
4ccb727e2b5ae501b5e26a374433b58d22d1fc9f

SHA256
d92176b6c32d26626edbfbdcd76a2d7f859d8f0efea8ecdd3c2e8ec815f7cc62

SHA512
a77eec43c4926ced4799114f4dee1133579b7e7cc6aec8f010c4d16beddcb930ba07b9be53306f8680424a17a2477f217f862882e5c1906db3d55f6cb15a4205

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
448KB

MD5
346f2a8c65356beee7c5087b94b91386

SHA1
f820c1541e012dd44c89c76fdf7b63ee3f298ecd

SHA256
bfbf19f9084974c5e6fcc15d058fe6983b79dce8970c316cdc50136be206f296

SHA512
1cbd0423b64b687c76a879cf00ed0f192890a59079e40337c96f3999b3ba80a0fdcf2873727528354dc424b8f5cf6f046c5616d24036fe119acfc9c1a7722cee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
128KB

MD5
f00ecd13ae690760014be5c28a35e5e1

SHA1
2c7cc083ee43ebb9c29be19f1c685eab75594996

SHA256
cd52a0af97ba202312df68afb0e0899571a6b8703f3fdb90fbc815a4230f8373

SHA512
d13b503f5c0916a26061931fedffa0c504ed3d1cd270d5bb54d83d731f3e9d4356be0bd8fa20261faa0af60479ccedee852838db1122cb59495488794af48803

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
448KB

MD5
7bfd587ac9edede416c8d9e4179f8299

SHA1
9831c32d3cfced5ae83c9166cd200be2f99da9fa

SHA256
7721018d82b5aae6312a0382e554a8e56148a9e792aefd4733a567d7fc83a2f0

SHA512
674cf35efedd0c3e3d913c64570ea379a9b351bbad321673a9c0d2a61684638145fe08ca1fa49aaa051db5d6cc466f2867cb020d680d31ef468a30aff68c9019

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
384KB

MD5
b7b7a63ed90a4599ef61baf3972baf73

SHA1
de61597e37ff778c13e8c08d01383ce0f6559f7e

SHA256
d3238843c2dd7ba6542ff0e7c3d5d2fc1cf380c1b348400cd2e5d1bde04899bf

SHA512
8c92a92ea9e68e8249cbe76b8d43e2bdc167110c61b08992ec6f327874018ca464e4bc4111f6c50264bc4bebb8b82756b0ad3fb593873d6301914944a4eafb2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
448KB

MD5
ade8f00c5a60ff748ae8626671632595

SHA1
59d41386b4751aa6c9f02085225598ffb62dcdc8

SHA256
8d22b9d5a59a5820024532a54c35fea074f614e7debb31b6125eed402d96b496

SHA512
63c09d70ba55b96633636f8d8bb6227029d71a000d92687908310161896b8c101b424c13b2eedfda500b76ae10fa702671408bc5182a4941bfa0e6675f584d00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
448KB

MD5
acb062e75e22275babd6aaae1348c5ca

SHA1
9bd70459649b123e8214d4990245e1cc0b3755b9

SHA256
09df73bea39d475fc4f3684d59781879639c513fc563c8af07d562941d93e98d

SHA512
a7e809ab7ad99ab2263217e8b7d89e6aeeb858cf9e0bc94ae7dfb0afa1e5fdd656a36e6f09e65e81b6e1b835c6f3d82351e5b9da0631d72170466ce4e722823f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
128KB

MD5
d1d1313b7fb496ea667ea905d24bbf8c

SHA1
561dd6ceff5baff12416c70b4631a6f82d82b79b

SHA256
a1dcdb1494048d116d28a71c9ca415bbb9f10b685fd19b114e29765b009ea762

SHA512
38696a625e704ad435d7491d4cc518a60f11625b77f9d8254a8f25418dc40d35f0963da7ba5eca50c958a1bcae4a4a6d7a4953091ae5b7bb3bfaffa6363598eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
512KB

MD5
6753920898ebd0e1c7618e19b270a128

SHA1
e97cf25b21b2bb9d53f0810ea7fbb7ce294159cc

SHA256
230c5879a3b6398dbea21407d8a939f3894d0d17aeec63562f6e3f0f3b3540dd

SHA512
b6da95511e0e67ceaeea16300d23fda0b082b73db4f668054d14da6c8373796baba8fb4cf47e5f25c5000026d5c71d1e0e9dd1d61d5f93a744dd8a2693575f4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
448KB

MD5
646de52c87014251ac2d1e655d92cdd9

SHA1
21f390b0046b981abf1a3565514e086b7232b72e

SHA256
3fdc1eb7e68e0b61c38242e156718ffd6bcf2bb83fc13085d91d903ce6ee870d

SHA512
9f4191de1790d726149907d5743f937b21e633d61cf40d03fceb682f17dfa10569f4124951e4af1af018df5b9b0456457f69594ec9c8733c11e81dd270ba5ddc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
448KB

MD5
8802319564f48e2a96d8e0b22fd82796

SHA1
3399eabdbe536dd72dca6d2f7cdd8acd63821860

SHA256
a1bcdda327dbe0fa8f8947bd1243a3eec2c4baf0cefca83997618cf29224e67a

SHA512
2b5c1d8be48aa1c809af9c0e6428c5d97aea93d04eb0f9dd443d52fa8ded5e8f6c8b57dbccf916c29277f1633b0a3829d206b1238d7b2f8cd467f9b05d48ba27

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2afcc4ff858086ea93815a9d76a20272

SHA1
9317e2eac1adf45681b01749ecb38b341010d51c

SHA256
8bb38e8d6ece2adfc0f5cd773493edfb45471b5d875e58e8d8e2d1c0a9981d74

SHA512
92668158a81b754beee245bacca400ac0fed30c746ebc94b758d21409f993eea47e8ce96f0b0ebb6d3cc49e23286bf3d6ffd9147094d619a4127583fe311789d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
128KB

MD5
b2234b9e39b430f00267c294865f450c

SHA1
b2fe42b8c2255dab0815549f5a33b6f303f4cab0

SHA256
ed012085172471aca7bb02266a9b32948eda88a9257681b3a3b4cfd80b8b4f3c

SHA512
5b5b15f95490a536ed08555aea94a26462ffb2f1568cffd9f5d99d626defbaf516cd58170e61d59f5ee8ef2819108ba2823a11433da1561e3fdfc0bd8404b3c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
448KB

MD5
592b7fcdb356bcf8d92fead5fbccb951

SHA1
ff874c173b554d36fc09370089fccdaf392d3035

SHA256
60ef1eb7f00b8818a54a51ae3815fea88c08334af89d6eed233d9478bc594aaa

SHA512
cb06ebca01bb598ddab070ad1a57df8a07a3b1e080993bc6f3c9f57557a2a78053bb7742ce03017b3256223f1eaa74ec4688145bf7e6508d0036d83e73ce0aba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
448KB

MD5
9a1b570a812d3b12b97c72370826411a

SHA1
b8cf20dc78afe0f105c47fcff45fa69b0a6e8f16

SHA256
0bae6ccae1c7f5997056b04a532ba8be7f5cb3cd6f7c6022d8ff16e2c09a3e92

SHA512
a7959df95570a129614aea740d199de95d483fe1583be687845592352a2ed6658f22aabaa8c6d4c02db335d177b6e2239cf8ac80706cab97f07127276116e70c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
128KB

MD5
8e79d35c68de5c46616f0b00dd24bc7f

SHA1
3decb7f429f9657b0ce3d0bf0e70fe802023a929

SHA256
4e2abb45f858243542e7d6e909f7271b42277fa858cf8cc71286981caeeb4112

SHA512
5e1dcc07cd046cf0a548c9a53226d81707deae785796d460fbe51bf8f270cd13bfee8413e1e4d03c4025e5c3461fae7927355fd5bf4cb0cc8ebfcdeda3cd359d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
dd75bb53b41cec6ae3113c5d16b132af

SHA1
88680682f07a2c37fb4ab392c56c514407efeb0c

SHA256
68e1c34f660e355821559fb04e80de60da216a62e3db8cd34f068d9fe02ae481

SHA512
fb4d56eaf5617d449471feaba5b427ca5e78d894f2e5284fff1beff6de8aa8ee5a50cc7953d0442cce1ef8204b28d649e950de7c3b79256f779bb35ab6e13ecd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
448KB

MD5
1db81b49dd1bc9560273f504dc9b06a0

SHA1
100929c359a6412e93127da19c282f8d821fac16

SHA256
43743b6573b3b9b7756232eb6c61ce79db1a87aac7741c0eb56880333cff838d

SHA512
38c1fb448be9de2894d60416cfbf01d3c6b032fe7b766e6866aa31d6ee58f39e035bd7e2fbb4bc08c266e09a2820c4e4f41c92f864aab944108f539880ce94b0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
448KB

MD5
6d4a67ba4052aebe6471351b32c879e3

SHA1
d67fd9790ed76e0944f4974cddd2cecac56a65f6

SHA256
e59a6845086570415a02bd0b44a31f8425f01d27f86ee93abb1bcbe8ab1e3caa

SHA512
aafadea61d4f255a65e3cdf1b56e3b98cbdbf6b010c814ab4e47f55ceb69bef258fd5a6fca9d28761206359669a413a78adf9da91d7b83e46ce511d36f7c9099

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
448KB

MD5
53ca562a42ae9a1d35a3ad72b6305bc6

SHA1
13899bb17ef771b8b6ea9f8774cb5beeb2cce06b

SHA256
afa287e47a20931d1e80629fcb14160be72e9c39b4bb0db3971d43c2bf3f2bc7

SHA512
e69c4841dd8a8ede9b245074321b9f3dceeb3212b268ce18305be820e57be7c145eb4829a338b57d28141a508c4b9174371331478dfec2fd45c53c6295bd4233

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
448KB

MD5
c646450593421551ea42cb395a3063b7

SHA1
35b32b7f1063f2d73b84a2da4a3bb17df9ea2fc0

SHA256
357353c708cd611854459c5d8584399fb2f1a67fc6aad1108cc7a6b8e70a7367

SHA512
22d25aa5dcef8bb59bfe81609a114288f84de426907ab657c1e0bce89ca08f366cbf4d10426eb0c277e08553fcb6f7ab0a7284c75aab7f69849a1af0af871466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
448KB

MD5
6f3b0135714380b1960104d0734889b3

SHA1
064d662382eedcb2c2514d316243430032ee537a

SHA256
5cd950ea0fb177e0967b6df66fcee1239f0da94b4ece80e5d9d2e2f497791aab

SHA512
5a0886383eb851d390b1087bff7f5260cf4e86878750080b72345373b1333ba54b0d2a73b288a9c9749918efab72f53cb13b08997c337cc2d5659c0550f8018d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
448KB

MD5
9e78e5e4809768bbc2d0e50bf7a160f1

SHA1
5da0172576e0f8b63e8a5fcb60fd90ac1b19d26e

SHA256
294dad89d7d14f346eecda92ed37c3db7ca72d8ea94888604a4203be1a4170c8

SHA512
008db7514aae3a32d78a3fb0c5929fdeb77953314b5b201225c8e06164bb03beb43e9fd92124c709252bb6dc5a81f18d6de96f0e607f060edf931e9d2204a5e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
128KB

MD5
add1631e15720264aa30e78a91db4170

SHA1
d0fdbd3f220833797af67ae6d006ff2b977382cc

SHA256
fd41b505659ef8d13e7fd69b324c9c48968cb5e6629217ddac061b2a322888dc

SHA512
1e3706d05ecd9d5c890aad445f8400028d2e8aa0e0f6f11f3dd0d9595441a3229a559c0bb174955353a0ed2a3f164d4d0dc9d67a7c71e28ee0b9bbc28c066e4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
448KB

MD5
7b58a3a35df71ceecc8068aa65fab410

SHA1
759ec4e17a103874b8453809fbe7b97d94e49887

SHA256
286f650aaf17620af2320a1333a16340210909d4a7e1ac76d1b7f263862f2b79

SHA512
d10d515d9bc1de967d66041dd53c0361134c6ea01587c3f96c9bf48358cf8258cdfb56d081eee3bf71bb2588b953585f217d69d4b755c372aa579b7743827261

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cd386502364cb328d4c9b6d0d403bc49

SHA1
6605406ed027562a16c2cc10e6d0221554e74b31

SHA256
b89f95aa19fe0b5c0c2042cd1a7114a58f3033461cb2554623c533fef04eabf9

SHA512
75c07448f637eb54c13e6705639cf8f3ff5262cd14dc2e8c0e299667a44a824d9f281210bef9f6c385eb946a28f5ec8cdff76f496260dc6c9888149f417f7f1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
448KB

MD5
8a96573a465516d1fbb9073eb5d9b5b8

SHA1
37ddc9befe80c6e5894bf02e02fdbeb5d3d15904

SHA256
7a7ee555bae45b93101474619a4874793b0adc24373b299264ea9da14d989c02

SHA512
8cd1f80d5cc286b9be89c5db02af8cde6017aa0cbf9c6a26e630d51181c56be1af6d1e0e3a9b9879f2e2ceae0fbb8453726fac97878858508447f38f78cb5463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
448KB

MD5
3cd961f216ef790432d70f2ffb26721e

SHA1
8da32166e07e6f6ea0fb0d5c598e8f0940c2fdc7

SHA256
973628bb3f4a8653342fbc5e480fe4da17f74b6717eb266e776117f54ba10e12

SHA512
9751d71ecb63355534d57d63a4ce59f65d7dbae4de0821bf936b5577bc9de3a9a814cf4e5e85011ad7420c80ff692eefd8a79f28b28c6375286586d1bbdbcf1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
448KB

MD5
6e8876cc8f0b9ced5837c3cf98c2245c

SHA1
9ecd8dded84b9cef593c286a34059b2607195ad1

SHA256
be4a7da700b4ffeb06d4ee9d39c35dbd814f44f4851ddde069ac3fff593c719e

SHA512
b4caa67b27b58bac7fb8a5b48297bb43818e1a014ff2b084fd7e7b5d4ae9293ec8836552732986683435b1537ffee3902701390df6357cee37d0fabe9ea2ea76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
448KB

MD5
10c90c089e393f2c78ed525ae369323a

SHA1
a8c39fa0b95cf0394375598273b21171cbedb289

SHA256
fa219b73a40d1c5f6a1c9635da06bdade109f1049c2b85e84016bde184a6c5be

SHA512
1764db934b7f972896c57e700250b8aa1ec6fc4b93205c0b490a39cbcc7e112b3705a528b09900eb54e6dae85bc3533b50bdb21797e4dbd12e06f9f9483b92a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
128KB

MD5
7dfb3f4ea2725d33278a7f3695487ee6

SHA1
02c8620e46278904dcbdd2d8451dca5db9b82141

SHA256
ca7904d51f66af8c341b4b867156d536f6ae8d7665ab14cceb30181c2af968a5

SHA512
d2c7e381ce64a4fefc5ced91579bff02d5e416dbb83acbabdfb6d9515495d93078343384b6fd9c8ad0a55991cb58e654638b5fc969a3f6f55d83407f00a74b3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
448KB

MD5
8a14cd4782fba35c162f32270b228d3a

SHA1
a7f782bfee8216470f6fa583ffa4ca79cf439067

SHA256
25145c366792e9fb0792b35fff64153a0656ce945b96b21664973a783f8f5be6

SHA512
20314f3cdc4be3271cc2931daaad5bd24676b4fb53d8dad3add0a014942aee1bfda820c2d6b9637f5d6eb0a17d2c6cb8e86e3a69ba61be342495c8ba0a93ba2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
448KB

MD5
a63e352bf3fef45768be4bb53ba506bd

SHA1
0f0810a8c1cd3143736986123e77ee9c45b6c0d4

SHA256
71aabadceb0c923bb0ce807842e7eb782808180fbfaac4e404f2d25831040e3b

SHA512
46b94cc680f5c2ae8849c79313805904ba25a6534a4f2f40419aa42d67e46f8b731bfa6bef261e41f8f6a3d105b678b28880743e10240e64bd30777f1d2c90df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
448KB

MD5
6f1445263a0aea1174fe6e38eb74b38b

SHA1
f4b6cffb21658c1085fede70505042f58958f1e0

SHA256
5797aff9869ea490a2c323c041f0e4262e13ad9e6d53d963cd4bc34473603a94

SHA512
adca29730be56f5dbe435f2820dca754e6fc74f06c0f55f878ac01281f733d0464a5cdba0c0f878ee39f1c03722f6856aba8905af0905c46f29b8e7be0b6d138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
448KB

MD5
dfed3ba5933f7face2743e1fac065543

SHA1
d5dca4884eb62aebebab7b8c6cf905df36c1ab49

SHA256
a5596671ddba42d9654e1aac90f301dcd632d66b0d50cb2366bef973dd3f41ba

SHA512
54831ec51702b7763f56862e284af0cb4bbb79bf1965dfa0ddd37a29fcad3598d9b6df58fc34806519bdf7f54ddf3a5cf6b2ddce62f253a93a72a4e59fb836aa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
448KB

MD5
2d990ab943f571421d8ef7fe3d0ef6d9

SHA1
f81bda390f33e25d01614e9537fb18360ae98b6e

SHA256
1d9bd7f77c49b574448b193eab7e4fb30c0eeb3f6e3a0d6df6a102981fbd00cb

SHA512
22a7364b3a2514253fd668c3801e7c10c9f3141d7d904191e093c7e74423d3e91d56b6675c4875c2be169fd92306e3acd7dff09c882d0f293a666675f60862f7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
448KB

MD5
e8452fbd06178682ced16e71b3745774

SHA1
e870432b85f76c0afdb05d7f3134ae6a23328773

SHA256
ce166f5c33bbde1520f34e5027b978f43b31f6df9a8bc70a854b386be19c9930

SHA512
e54bb33ebc2b34fd416e7add6b86aab853c397824b23c6d235ff3a4c3ecbb40650799028575b6246d188018726fde4d81624eab040a2cc6dcbf4ecc4bb08b205

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fd1af6c507237c4f5b719d4d3984809b

SHA1
eee14c03e0f8c18794a8f52b612a8cc6ecf38821

SHA256
e206d6db319c55e0d230d826b8b59300740e497c9744e07e762e1c9e3599a88c

SHA512
c83a1a739146c591f8071be997fd80b1181509e7dddd6c22c1adf7255f45183c7e07a40c63a90e9df51899ca4def026c16e40a647dbf27dda4031a5585a9f710

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e241d7a544f60eb59f1b4bc98ec2f827

SHA1
b62aef56074c9381d6e2871764e17cdbbc99cbf8

SHA256
3df01fa08ef0294be9768ffec2ef90705d49f09b7f91f964f7ad450943154f6e

SHA512
28719ba99900f0d5aca8b31efc153a716dec90f01cee4cdf7e25d622cd0cb2fb3f20b412235852e820511a1b8ce00b3db92d9b497c3966d82f7e911904b3ea50

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f22616a315fd37d707c1406893301bc8

SHA1
0363e9b7fe8c912a2e4506cd3a3b8de2810d80e7

SHA256
4f7ce4442902f041f1d70a4267227b5f56e70f7318f4f74f8b2b263181b46a57

SHA512
a85bcff036943212767b68e1df8588ff4722dcd1b7310302df444abecebe3ffda990d08d131ddb7d5f651b621b113dbcce6084825947a0097150bd872b5746f4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b4ba86f5eec8ca8669b1fce1a8f0cb51

SHA1
547c3fe5c27debb2c589d92969756cd8c3e56f9c

SHA256
726e6463f9f815153daa04f4f6b4d2bd2e9fd9cef1bce0b0df35b86b8bb8d999

SHA512
f0410c28fa50ad4d5486b5c672af290b28da92065f9b7bd532ea80fdb106c10e215349febcaaa78c32d521685f25ff1fd0fb60562c92b8d83be0f38da44e625f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3262ade1512362e940883daaa70b4d02

SHA1
e097658911cc9c742f6eadb227bc6b8058af0570

SHA256
8cee8c196f412ec87021120df9e2d111cb3293db78c87b9da3e2cea7c000126e

SHA512
a3f179d7ecca5c9702da03df117441e482b76c24d44863ccfae6d65914f685dcaa6dd451acadc332ac243756999e84daabf358d857046b390b8cee1d30fd789d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b505eb78bcbd1d9009ebbe6347193145

SHA1
0d1f49cee9fe8ea10b512c542bc8e1c5a9498d57

SHA256
74ea4c77ff4b2801a8648a7fda98010423d00b1e46b575534fd19d10ae32ebf9

SHA512
ecdc3283a7260cef26fcf1dd2100edb72719225f8285e22d24cfa971cc63bb7711c96b0235212b524e1da847111c8294164ecbe8568905533fd9508d81006444

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
493dda8224dee766e249b4d30be66176

SHA1
2b737806bb9d56f074bc29841e6aa036f0f23475

SHA256
efc6d5df3d98ce041fd0d389253eca7618da3542b44defa398e7eb67fcc30786

SHA512
f9de71983bb77393cf5c8dc1495d82f37e9c7595eaed674021b8678eadc45288a980e64b5b3a51eceec9c90b09f22d26044a3a9b7d3c016cde19e7cc6aaba055

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a97dd0c3e6cfebce746ad7279401b2b1

SHA1
0c5b4486d930f8f1ebd0475ce4f7f4cdef3ad43c

SHA256
8fc5852399ffbedfb53e4ec6bb411a39174ab94c6a6ed78a6ab7a483041527c2

SHA512
3c710fe28906739334131b1ef3b65964f4fc052acc398f59bee4cf50f202facf4f88b4467e8b3790897405cc20a7f43bad8a9a0c561417c941775db5da4b3464

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4ebbc83cba937730db54ad2f892a47b5

SHA1
90c4b020db66130e092259665e15e5e1a03df3e2

SHA256
b176c9f0afae561e8eb3933ef005e6d639cabfa9b31fc444ef48fc40485944a7

SHA512
d5f0ee0ef7f528c2d7b7a0b741cde7081fd901bf83871b17b80e5f8a12f47ecf6a870713a81394aebfcb83e0e7582bcc8f9cdb222b30fe8fd0108306d8703361

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
448KB

MD5
80d0d3b9965192188fd3c2627b982658

SHA1
26038f3e5de1543ce2612aad36f1786ec4182633

SHA256
d36a1358840ced5932b0436ab6ef81b301d2aefc3d025f97347f46599428a336

SHA512
e98c6b6c17450e659ab115ac9da8e7a6a5efacb9047901c77f438713b562be2f8908312247a4668975edcdc61889b2f09a9e87427d9b75086656336e9ad592bc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8273bb1798cfbda2dfe0a646d1323270

SHA1
4c210679fc4c2587af3a981e7c1e507b74f678f7

SHA256
054e7824100ddcbcc2fee9269fee85cd0d480cb1113e7611f3ddd76eea7e38cf

SHA512
f02fc78d4f0a6dc6dc3e9a8f1f2956eac26dde516d89837f7c30e0f6a424aea4484e4e5d6c216def9c4209540d8bc980457b12c0e98794edc01f196f58547a26

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8264c8ed705de0dc22cbb0937bc2c25f

SHA1
e237dba712beb05e2eb8d1acf6593051f06dcaf5

SHA256
e1d6aef27c0d8b9eeb5da1e7f1761cb9f402f8cd3a70ac5cffb7a65463498640

SHA512
6ac28905f8409591f757aeea2897ce6ca383e92605cac06d0bffe3a53dd23b27a82596837c13998879e2cd6f9499567fd2d91f8091ba734922ecc001b712baeb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
00aab2bcde124182e02f627eece6b1ab

SHA1
fee1d7147092d106232058666f8e75be3005fd76

SHA256
e7af50fcd02ee264b206a1713bed2e3099c6fd19808d463d5d27c3d9dbc8e763

SHA512
c091f76e812e54be361679cd88280f9ebef66048b42e0d99b738cafa0bdb194c42857e7feebeb42213f241145616a445e1753ac057cfbb4ede4f18c0def7812a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
63b70039b101b8414ad9fd7b67392ede

SHA1
213c18e6e3e1e1b5d6dbc212e86b5e485943f6dd

SHA256
81c03e7f5bc1c392945f205e4f7ed06c4c93e3ed79f5f4314042c8f2053519f4

SHA512
c7207af9982177cfcb6143f0b8dd30922222e2cc0ae7e3f1091f1d9353cc4a4bedf735c3161094db7760ceaf0d2b129aa0a75ec3c852be5eed64b5f60b093555

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3c5c0cd89cf086204c84e54db15217be

SHA1
408bedffbe7a280b1d5a73d4d3e8e87a7b61b277

SHA256
756836fd16a4062f7be8d73b794f76cd7e343d335b57027433526127b1bd911a

SHA512
fc9834883cee519e5d5dde75e8c3bb1cd9a6d380865d829abd692df2b5a271c517dd877fcc098f4cd81f12ddf39088c65fcee5d8ce8808ccc6bb79b0b4e26fab

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
371c71b033e886a1a78450d34da5fbcf

SHA1
672a3da23a710aa8f619371046e709090106bc18

SHA256
09cdb428a3cdcfe3cb262caee7c825172a1d03a7e3bf0ba2e9102f5c8edbdb0d

SHA512
dc49e2233456bc8f24c6f2f19dc1cc24b7ed17c04012dcac34fc9f2028e78c88a9b005da7113d836a0749dfa0b2d8263ebec5b99afd42e1e27789aac05dc5d22

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4d66a009dd63da4cdec6abd62f1ff8d6

SHA1
6c13ae510684c42a99df7c5f8a3d4cf7e751f0e3

SHA256
91cdd04cc87ba65b3e0f9418708439c332c89c07f80877821e24142b5db9528a

SHA512
c5812505ba5ce4ae242c24e31e6c1d3a3cca024e693354170b301328451a100e3a5327afc7c30e9cf43c045630a494c869447743cf9cb0c53b09d74575bba33d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9b148fd6360ea2e6fe578ad352b28cc4

SHA1
1cd4dbf2156c0ba396fcc480114329c34ef2e24d

SHA256
536708ac54aa7c8a1509b97e390418a3943b1b1b3ad43f4feedd3acd872b2136

SHA512
b335321456331fcde0ed43d32309e9ada157b27895a33b540dee3061e70f3f4750f29d8117df107a156ef6530268d599bbbaff6c58233b72aa5e6a9e5d3e53ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8f856efc79462561cdf3f86f81872346

SHA1
6f94a630107fd6468b40a54a3222ad767c604edf

SHA256
136e8249f18664646dbc8d21bc9a3e5c7abf703c7154151e40fae6288dc4305f

SHA512
c1b4de046b5f4650187033d0e013f6da7f7c293db26979dc912aca4de723ed8b8120a9918453ec34f695f2a23fef0065a1e9595cca7ed8c2796c7604d4a990f1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
448KB

MD5
e9d1718deb4fc905e4e59c93f3bf8488

SHA1
929eca7b25e4e8f64abdd78b766c09a2234ed016

SHA256
f7e73b9e95de45384cf257fab03df225fca5f3515b64aa646fc02069645aec1f

SHA512
36525eaf8f520154ed6c3c8205d9f562c1ff9a1a93558f4bfefae69081fdd042a0361e45ec302f6759d029a60fd599dcb3e391534cc45d635a10aff58bc2057f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
192KB

MD5
e822ace678aad2bbf584d3154e5eb6c6

SHA1
f00b834d4dc5dd968ce1af765991c118d583bd72

SHA256
cdee18933df23008cf6215f9bf03d6f2bdcbccbdec931d999d90aec1555218de

SHA512
1e40c2fb4a11a2b3b2c38dbe23fed603634169dbabd118a30e9d0f1d8dfe291db97a19815313a1b853d539cd1264b5c2170075a85ada318d59f39ddfd173ea39

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
448KB

MD5
7b4f4b4cf869f5720e31d99237d05105

SHA1
4358eb1c119bf479462d15074e794612bd9daeec

SHA256
fe128c582bf0e77f4a0710b9f6a0c6835ecfe94ed3f2a162132c6b349c368d9b

SHA512
7197295577f133910a68351889a481e3e173103f7411f44c5308fff60795cf636bda472f9ef3082f9f002bd7c1d1c017384730ed8a35bbd2c31ee4f35b4113b6

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
128KB

MD5
2e884cfc3d8f058740b2fec75c03fd77

SHA1
c4b782fad7192599bfdb2d321f7d0a7868a2e275

SHA256
24cf56c5c71511b75b411c310271b795e73418201c62b4c9cdf29b4491389f00

SHA512
6cfeb65d8afb12a79ad18b8326b3963843e4e3461ecc3983dc2439d8afb74bfb43151f494e483d6fc2d698b159e172a9d7d3c8e13863b7bc3400e2033826964c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
448KB

MD5
69c6e45fd4965a91680adb2da81957e5

SHA1
70d32128765aaa2ffd9905a87003c65e092692d8

SHA256
734d7314e00830df7381ad272df8c24c98815dfc12bf2cfab3413733514f11e0

SHA512
ee5b6236b47c36e4042053cc93606695d9fc2e3796e9856f4e9f51ef919daaa02502233e507fdfabb39d4171bb3a5f370d7cf7d22244d2571dc56faf4e03bc4a

Download Submit
memory/528-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/528-636-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1040-80-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1040-84-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1040-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1040-74-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1040-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1928-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1928-510-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1972-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1972-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2560-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2560-630-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2588-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2588-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2588-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2588-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2724-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2724-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2724-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2724-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2752-89-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2752-215-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2752-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3008-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3008-6-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3008-72-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3008-1-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3224-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3224-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3596-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3596-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3596-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3892-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3892-230-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3912-143-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3912-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4012-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4012-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4224-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-47-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4224-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-43-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4224-37-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4256-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4256-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4256-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4256-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4316-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4316-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4356-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4356-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4356-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4356-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4452-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4504-629-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4504-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4600-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4600-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4760-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4760-455-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5052-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5052-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads