0aabcfb18b76ca62441fcc97f4aeef58cae72d3499eb51c81676d5f866bcf45a

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Size

1.8MB
MD5

d7a834d84f5bb8c2dcbeb298dbdb2d52
SHA1

1c7f61083ba83ab17c3f1d0d0978d41f35bc365a
SHA256

0aabcfb18b76ca62441fcc97f4aeef58cae72d3499eb51c81676d5f866bcf45a
SHA512

b56964f46a5ef05102b53f987a567c97195d6cb72ac41a7311b0a6e29dad6a4b09920e0fd7d14508aa8e1ed3d0d41dbc73936b9ed7c1a2eb45d1e923a7cb7a6d
SSDEEP

49152:HE19+ApwXk1QE1RzsEQPaxHNX8HNUPCAaq8Wdo0:Y93wXmoK/8t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1244	alg.exe
2884	DiagnosticsHub.StandardCollector.Service.exe
3168	fxssvc.exe
3456	elevation_service.exe
5064	elevation_service.exe
5076	maintenanceservice.exe
4124	msdtc.exe
368	OSE.EXE
1724	PerceptionSimulationService.exe
2888	perfhost.exe
3028	locator.exe
3060	SensorDataService.exe
4292	snmptrap.exe
840	spectrum.exe
1800	ssh-agent.exe
3764	TieringEngineService.exe
3204	AgentService.exe
1484	vds.exe
1576	vssvc.exe
944	wbengine.exe
4572	WmiApSrv.exe
1300	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae395e8faa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6614a077c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfc52d077c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073a350087c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095115b077c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078cfa0097c99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f48b3077c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f40029077c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe

pid	process
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeAuditPrivilege	3168	fxssvc.exe
Token: SeRestorePrivilege	3764	TieringEngineService.exe
Token: SeManageVolumePrivilege	3764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3204	AgentService.exe
Token: SeBackupPrivilege	1576	vssvc.exe
Token: SeRestorePrivilege	1576	vssvc.exe
Token: SeAuditPrivilege	1576	vssvc.exe
Token: SeBackupPrivilege	944	wbengine.exe
Token: SeRestorePrivilege	944	wbengine.exe
Token: SeSecurityPrivilege	944	wbengine.exe
Token: 33	1300	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1300	SearchIndexer.exe
Token: SeDebugPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeDebugPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeDebugPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeDebugPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeDebugPrivilege	4784	2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Token: SeDebugPrivilege	1244	alg.exe
Token: SeDebugPrivilege	1244	alg.exe
Token: SeDebugPrivilege	1244	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1300 wrote to memory of 4164	1300	SearchIndexer.exe	SearchProtocolHost.exe
PID 1300 wrote to memory of 4164	1300	SearchIndexer.exe	SearchProtocolHost.exe
PID 1300 wrote to memory of 3328	1300	SearchIndexer.exe	SearchFilterHost.exe
PID 1300 wrote to memory of 3328	1300	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4124

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4164

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
603a48c4013f465a4434ede58a2f0140

SHA1
d7f1a9ed6e97bfc746bf3242ad26cdc7a8633236

SHA256
fa00d376ce1dc6180a8445b423d2be9b8a7713ccb967a32ce9cb4daba29cbe01

SHA512
3018ee89dd9b9882732ca5d0777735a1299b460659bfcabe86ff7a651d647a6e8bccc9b30736d03ab04b761b3ecc7aa2ea9849547001ff306f5e117d482b7a7b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
aeb8cbc5450cff12fac516664cfa7156

SHA1
2f159980c1990eefc08bacaf9b260ff3b9ce4f4e

SHA256
032f1eb7c5434bb678d17baa4bf3adf4a612fbda1eac6765ed08135b14ad5158

SHA512
ce04357acfd44a7ee3839544165ac0e2947be2af24e717ca68eafa24369c100446cd055289806b9907de91dcc21e68c7af8ec0417ab6c52f1873d2fe3d563455

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
7fa7faf4340b00adf00afdbea8c92c78

SHA1
31067ea187c6704095447f927894047a6239fd66

SHA256
35908899235ca40590a6613feb14772988bae0967ccbe0ac92580b91bb1af76d

SHA512
0741857085426f8a4d041c72ae1e0ad5b48f709eb2fe9fd32d1f02f52d40db03894b94ed8aca89593bb5db2665cf4024382f6b8883eacb6f45b10531abf73e56

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
86be0da84da1c6c0500188c0bed93750

SHA1
ebd025a5227bf71ad18f7d3c1cd646f3b6b0df1a

SHA256
bba86fd29bfa76be31db8889182468302ba3d7b14efdc60057c6e10706a5b206

SHA512
310d284eb368c11f875d2950d4d411e78db6dd35ce017cb9903bf08b73226f6001d6dd605fe6db09c74d4e011b2c94642c6086bc99b988b39aa69c6b3cfe4b2c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1463379b84daf8729511a6d1e0534ec9

SHA1
01b1adb9cc7d962768bf9da0892669c2591dfe12

SHA256
60335d98edec1e44b91702bf95775d61df9f20e16d327f7ab3e944b46538b33e

SHA512
87f9250a2ae4fb2667ba937c14f3fbe9f0654b546a67e6916d4974213846f7f8287067ec370216aae69a8d60a3ed7acbd0dee94b989a01bf005402d42b732614

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
28a2ca46c679fdf45f7b62729fa73c8e

SHA1
25e4987371ae9e0f9229cf5a60bcfd12cd1b454f

SHA256
87e5e19c4b44dd909cae30ab3e11a6e0c2848423998922999f9cfffb87111afc

SHA512
cfc176edb7738f5ad1041d140335b1d12dffc9ad0d004f93ab8a928c7ad820564867480570e531f705d5655db5c51c52dfa661c7457f0031b58ece8809a9dce5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a277121a326de6ab04e499fdb498aa0f

SHA1
061bb85b4078d7ff2ce70c0f6aa53d1104b9049f

SHA256
fec8236f808a9254d382c2f605af4437cdea0c1f815cd40ba0a268512ebdf095

SHA512
6f4628e59d18e1df9493c6674e17a8d60f015036b20a9772f08bbcd8c7fe916013f500f32b96d1502b2429901daf985e1f94d38a6c349739f59dbc63593771ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2a5c309029dd5bc103911c7ffdbe908d

SHA1
9a3ee6474999b148ce8ec62383e9a14e84630eee

SHA256
9a0c3d16721454ade87424a8ef293cca2989f3caff238c528479cc95efc86c6a

SHA512
bed3bac49be4df245011192b64ba1516bc8346091ed62ffadc24e0aa384e772a8e34b484bd76c160fb6e1aa26722966061f5fb1091444cf6471b2956859ec256

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
f694ccb98159fa68189b70d8dfe86edd

SHA1
fc199d6995166213d12fe0ab6733b36205e59afc

SHA256
88516153faf6e6c00ebf8a34fb9b2445eaff479db90a98a2095287eef2930bd5

SHA512
10a51034400e93d20030ff92a600b82f733164a61350e7b9ee030d5dae98a77775af258dfbe38ced4218767a5485c03109946ccad78a2b8c3d1cfc45e4a4b3f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c38ec67162a208f807333f0ffde296e1

SHA1
d20f1677e3cbe5cec2fbdb554220c81668d8b5bf

SHA256
da12a5eee52b54774ccbdfb3d3ce6f8b7c779889bf73e84c56c295e2f11fde4c

SHA512
abf6a0b1128d247b6fdf127a969a3821ca6bc76a64fb56bf507f9736c857f107cfb1ed200ef56678d992362531cde014417a33e72afed6e42cbb7d122c023e1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8b12cd97342eeca7ee94c64b0cb492c7

SHA1
187d512b14c75ee36953cd7e9a33f5a9536f8592

SHA256
c01b93cfcddc0be1784d48b32b9a483313843aef8344f4f720e0424934b7cdd8

SHA512
2af5f4fcea208118f8dce50e6a59fdd44ecba1fb96254233405ac4431f26bf1acf529873d7b62ea5a6e8abafdceab55ea26143da523a7449d44211e0c049a730

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
fd01b64b5f5c807e1c5ba3165b354ee6

SHA1
5ff6dbd88cc0729343b43603599f9f49839b1b92

SHA256
260a60e6ec11a51d3a1197df50737bb6c8a1326be430f4707203ba90d46e2116

SHA512
faf86d6ebc99f594b7be76585923a4776037c9f4f2f1c98c03fb0b10d253b104a1b0f7b7ab5bcde3d361674addf2c067f9607106ac114f2e44a0f870a0ef6cb1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9a77d070e240092e9a12992e22c822af

SHA1
4bdffece92103751eff31060cbea77b4eb6197d3

SHA256
c90533688c734481d9673c982e97562e6f09d375a1c0575f4c01f6789486be7e

SHA512
fab3d929e6681c364b67a9018590466b3f75a76aef99f594a19ea3348967e432fc9bd5e6f4772a047a362c36fad82d6617d07ef9cfef9b6cb8c2d79af783b34e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
5007fe71012109dd6b5e8a4e227b5941

SHA1
8e58b623f2f421f6e6dc542235192cb10bb37d1a

SHA256
4fe75d1fb710a58e681061502fdccab69bd250740081fadf0a9eebe0245ff623

SHA512
20ad0cf01a1a529a1a4ca10310bfdc9641f8c6d91c84af0136e1395612d630b6aad236ea5f17c65ccfb5a1acd7c805ffa91627cfa324bb5f409fc9489c22a8a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
191c94b3ce769c7d44a7b5f3381fef30

SHA1
7260a9fd0e3ce9bff1b554729a7ad84846ccf122

SHA256
d930a8b83262724c82615c543dc74ed6cd1b970321a3adeae481a6e95ef2c405

SHA512
2665558858ac8119fc3fd028fd1c98a9e2faccbc9264702f3097d32c1a7e3a1b218f99d2edbcc9d549099dc85cc989a7ac6301403ea18c5d51933c389202f003

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
aaf93a67c815d674e19a08403ac96775

SHA1
0b972d1993b3b8142f1d177e5f614e72ccd2e475

SHA256
bc37fd2fcd01400e50d4cc44f0656e7dcb471937292553c1fb7770e206899e20

SHA512
f63ac045299e6b5a74b0960bb0242cf39f058c8eedf2048a569d0270b23a78c5374695f831efb978a5288ce50fd1faa8e30e06b552680324a72fcad49137996c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
112d992857424f9f7205add9e9b87e3b

SHA1
293a63b4b19ca7c72bbab1487a50d5b750d0ad1b

SHA256
f1ec45b9e30b49b3a62439d39abf172ca3fb99be7321ed6a330fb0957f54cebc

SHA512
14d6ceb60e1ee3cc1d258bb8106c60a66b06ed51e22191f94fc6f9015ab313b9a837e9c15b95ea686fb8dad216bc34e9c4e65139fdc8248190dfb9fbca7af39c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
53b965869f3a756823fefb89775cf2a8

SHA1
074726ef808ca41313ff24693a7cd9671d674795

SHA256
5009a76fe64d392f3279fbc2b3535b6b3f780b2c4442c63d8e78f59ba0d87ba1

SHA512
ae75e72dff58557b1bc69dd57526801b77f1e349935ae4e6f94caaf81323630b76b0664e781adaee31d6f8157214b992f6cfb11ab14283fb8b1c287eb57e24da

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
e42d7829fd2f57d1af71262a2771b282

SHA1
7ebb02d5389b8f6a5ac340c2456b61378a8fa9a1

SHA256
2d7ed238cfc14ec949e2b96af7e1cd034b7418e792d5e44fd3145790a5fd88c9

SHA512
926257c138b4890c60e06cd062b887024bd248d68226780a47f3ca987aa05153ba89cf807fbd6407c85165af4357df30ef7e582a0ccf942c565c660501d0f94a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
6de5c1c6675baf023a42081471d22bfe

SHA1
8f22a76c5ffe6ea8df7412a05f397347dbd32035

SHA256
bc484b4afde327db1d12f821ad7a0ba53c9a0fc1f779b782d17c9b3a85c22312

SHA512
424f7b361da115a7b98475cc5f2781a4b626af4cdadd45420901c4ea43136e379ffe785c6e7915ac9623baf0ba49b04c8b9f66bb5b8441a4dcd88bae3d930767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
aa7d7b3d833dd1e52cef7d79cc208b0b

SHA1
65c852b00ef56d64d9cdffc27d71c991f7b21b77

SHA256
13118f89e102e21d5f318f60a7c843ee6bb8bed694b1680b28b313183183840c

SHA512
9fa2537252c34724249bc5ad7b12ef7936a23e55acd720b3a6e64aa5f821028698c988f91c0b4764ad2117ac60374e1c91a0b16595fee72b7d394b1d722824bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
87402a9901af80c868fee01976910e37

SHA1
90e7f940d43da6c7a7e19210149efc1ed75fb26a

SHA256
c58686054d46e8a019c138733c837090f86e52624f11498c120b3e60166a2459

SHA512
d8cb774ee95530f904ae25eeace95ba57a47ffacfe76d5b01b237e1af5e025afc85f0bdd711d23311219a1e6f1d13d9a86d86e2c881047f28d104ebe637a46a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
b358f72a8395992f23431adc85924ff8

SHA1
6d1e049a52ceb6eda01bf805a56d34f6d9226a3f

SHA256
c3c92453304dc149a092413ccc068fea5cc5eca1c656ffd800b82b7cb7ce69da

SHA512
1e34ac73796ced1e5e30d7e5fb9dc05bbe6796361e917f33963b7669185ef4e236b1f3de63203a9e75c949d3e0dc8284e3d1ddfff4a65184afd77db1773e49d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
94d1342ee8c4fa5a8fbc2c185689fe04

SHA1
81886c5144a2c3ffbca683ca1e563cc811ffbd62

SHA256
c039a5ac5bf6db16774191124679e5c53ac2e83957ace46038dbebcb56e192fa

SHA512
41c1f46d000eef9ff877f50f92aa309e1d3b368bd14bb325af896155c35018079ea0913f3ffd237f0520c3d5a857ad0a8f49ca77151a2b618e10835cd817cf72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
1389104220fed1e6b0d032f769214a33

SHA1
c9ced4c92a9182eaddc5d6739337753c59c7cfe0

SHA256
2c24e7fcc29f3867702b283f509ef186ac6777352d969a7304666db403beded2

SHA512
ef4a704c071cf8850a3f18afd1cb7c7557750f3225bb220f73a5ea60466f92b4c660c3d2be3bb0ecb10658722627972c4cd966f0b43b277b6e9307325fcc32ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
6d62a42f26951beeddd4677ac17ce647

SHA1
e7d5cd2a32aaa0696e4e85675b0acfc3a410c9d4

SHA256
23e742cc05dca87556230cedbde6b6a74081a562e8b662bb8c2440aa6114ac4e

SHA512
49906a1a70a50d9f98b727ac1ee86e50c1c8d26a0195e74aae1b76d2dc5fef9be9430cbb2c5349d8a3d4e097f0ae00014e17aa081e940e0338c9682a8e392fa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
87cd3d2c590fd3ef7bd32ea362f4e6cc

SHA1
fffb76a49d0ad98e9cdebf33ac722f846f7f24d3

SHA256
1b700982669bb7fe4b3259b610aa63e56ef78e782ccb2902f81b7e37b2a36885

SHA512
835af0b95b9ecbb63b5c76aefc3ddd4156f686a31ec0532f8fe4c8231c37a12334974799f7c7144df91cff930912c78b5705bc3ef3030b3967fd28a4cf33cb27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
1b2fd752cb12c4558e73b677f03e89f8

SHA1
2861d752ac7005c70d83702d52e56c783c51c294

SHA256
4899713a90eef86ef4a19d78a9c095477507506dec6280ba68f77887b4c20317

SHA512
36ef53daaf33c26025d322254fb4bfc5b9a34d1ec4a2f0819300f059a844f321e0da49bbc30c28840ade8bee98bf6817e5661fa0600372e70b65f85dbb7a34f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d25492ccf602d04a63bc6bdd5737e244

SHA1
3051ef97f4743a67010dae7bc09ef9e9dce9cf7d

SHA256
0357dedfc46e2b0fd81df95f68122aeb6fefacd7a404d547166bc2595d28ebd0

SHA512
7e2207440fa2e9826bb8c49a8b90b9567b1f8b3fd10b65ce30e19d13f1811f74f72fd9b99c4f3fba9d4327bb081d65d1e12b0b1c888817f47a0511da85309fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
459c276961fd4709ad53c9eb117e0b15

SHA1
42838eb09ec41806130b022934cfc248c8846ec0

SHA256
572907cf54eb89d741fb7d43ec1fd254d44a0a182db291ee9d8ced05ea92a31a

SHA512
4c4228420092c7cb2a012b8de7ce1a4954721d390dbd1212584083919bd4799cbc542fcb28c4ac5b1019fcf7277ff26137f22856c8d5b7b71764d30e8e047bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
6b3d581031cda5d34f82af1d622fe605

SHA1
c373894c4703e05a768be54f7bf2d336c4e83cbd

SHA256
97cc887f4275b34605c40acaf013ddd70a5bba1e0f49b16c6b1432383ebcd9b7

SHA512
44222043ff7a3c5b1ed85e715a85456dc572ed9f8a07eed8a5a53131500ee2cf8c28a0b80df018c35082a814c66b30ffe3ceb6b8d45b4206416cc562a6caa674

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
0d1f080dad7d85dc84a9e5268b1661f3

SHA1
73ccaaadd3c20cac596d9aeae57ad2d42fba5665

SHA256
aca1c527fe3f014d7e8aea8ca0b1d9cdfea9cbf62e7d81e2ca65cc69cd0cb319

SHA512
89c25a219228352438cc02673172d0da23c4ae586fd5f22fac8e0bf2643de7fcd291576487239ecc77aea3c70eb28f7b5f514e1c00ef45df520d7872745bbf31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
420870c8f4927836474a3bc3971bcd27

SHA1
d15478c5bc31280fed8de96a54e10f2ceecbcca5

SHA256
a7e1748d0d32f2fc81ad93a23b3dc967656fcbb27e6eabab778a4f0826483ab7

SHA512
dab75de6ca4fab0b860b4d52713e5b2784fe614a726d52bf044c9a29b0b33c0f1953da086f26f34ec746d1e23a85835af92090a34ddf6831379fac962b52f90b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c352245cf616aba8e441df0a11103770

SHA1
d53c9ee038f252d407bd8d6fc10008ce09a8cf86

SHA256
2df7e71c0e3f2c5e1dda7370d2ac3061d50313c686e38bc17f634f07b6753ad7

SHA512
7a00d9b40f0d709b5902e8dc67f32ad2ed7c162cfc6d586c44d59613ba808e4aa959165b6a5a39e92174cc5dc989b1ea0b8b59d9d6bf098c10ab8994b2d52533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ddd988c64bb567d96d585a39225eb351

SHA1
e9f7ff5f4219fde4665aa8b79ab25f1a079d30bf

SHA256
63df0cd5a927669a5df4a353366e56c81b18e24f0869cecd1c0d28ec0f598071

SHA512
58260178f50731fca86277504de37f85c969c167210b0c54575445c41a6f2e1a3ce22c870814eaf3b5989364b01f57334768896e4860ab116d063741d5d265a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
97ee1245b923738f6c32efcd258fd428

SHA1
8d0063dd4a05dd9cff7e6286dfb5d94d3c9a122c

SHA256
c9dcfca7c0edc464d6761fed30dbbfd10a7e42b220493e5d55d29f45604b95cc

SHA512
a0401647a58c4647c6ef87c516bbddd7c438b4adf9f537faa4f359f9cf761c54b53c308eca9d915bc7d6e5a13d0bee05b7f5166b397a625a3048be0306279630

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
06163f03f07077c8ffc25880ccc3e099

SHA1
e6cd1853ca2455d99fc9e71f36e06a82cc9a0211

SHA256
2eca5fb815c95f0f657f17718fb800684555b21a784775a3435f5c5c145e4988

SHA512
18f4b3277fef9b8a9e9d43c4af9c6ce94f7df241ac7987213374472a10e20053105cae4a76a3ab8f9602de870b53745591927f1caa139341a217e05581913b4d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
fcab73d055ebf7fe675dc55ab410f34a

SHA1
e195423872f9e95606b6486e46c2af9a9b76a70e

SHA256
086872b8096e35bef8cf7c332b241d580e4c2d87faa3bbf2753b2167c44b6c50

SHA512
c2a6129e74238bda1c1764e9e0fdc4cb83477c2e52491bd04455493711f08881a790853008fa04a50cd5a60abd2bbee5b4ded50c1fdc472e95f224b5b24b4bb7

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
7c91c6458633d9de01b8a9dfb268e15b

SHA1
7802bcbbf67d45cebbe71d45edd52dbff6536622

SHA256
6c0177e87a95d1732c2f67047b64dfc0e9e17d6e4679d37c8e41cfcd6798132a

SHA512
655c1c8213acec45deda3f24153520999b2aaf462d2f9b50a42055bcf02f9670ba170779af6a4e82d3d96d1c2ffa0a170bb376799095b380c5fc389b808fb8b8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d73fbd7e13900422da39d5e3eac4af79

SHA1
d312ac59ddd893f41ee013224c2d982adec8cd47

SHA256
784167e91e99a6271a4792a768ef2d9e4e973543633110a60c5a98e866361fed

SHA512
95e3335d5c43cf17438b6d078ff0f7f7df598825050f96313d45c789aeb60480dc667071c89720399769fe3430206ee43be3930259957b11fbbb6d96bf76804a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
bb0c649b3770f5b02636ed4fd2d690b6

SHA1
cc1c1cbb4ef28e5bbbbd85a35fc3a8d74d70bd32

SHA256
76bdda29063c1ffde2cec5bdd53f64003dd2e230abd29c90fa65ae7ad7baa061

SHA512
8b2e8a78ab6d1b2bd95263c0a0750f8a7a9fa06d274a4bce73b9df251e52387ed70b6cd270c9caf22e19fb6ea81e773d88e2b4d281b91b69279ed5d51a634f88

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8467a34c1bd4a28bf045604b089c4cc9

SHA1
dcc2149220a00731081fcfc93b37200a756dba3c

SHA256
ff58f06948fb780435136a0c58ae6ce34406f892b2f9b46c831cc7a863aa7251

SHA512
aab90916afc7310fe704e4a0caac5988d82d397c7bcbc1443d82ef6f2111c34f86e8c0bfa02b3c0c10db3f1a1516474cdf6f077d4bb0c10f095c78c309f10d83

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f69f261f10d6b5375b1250499c8bdf41

SHA1
7625675b841465c21f548a0095500e511a93f24b

SHA256
2ce412312cffee87acdbdcda678d55d3f78120caa4e483a6e2eaecee36c1f306

SHA512
c991370bad7055c2b72d1bfd1866d0201ae980efbe681f4a4d13c398c8bcf5057726787713dfa3096a664a71a4f0cdb6b6c69925941eaa05fa3f567eac1ea887

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
8692005f8eaf55a05d0f20ffa3b80238

SHA1
34c71f8fe27a58cb5f01c2850e5593b8ab6c878c

SHA256
b7d2930e1d5557cf86a5c7cf1ffc3680a00af9acedad3bdb4e97f936a3c5392c

SHA512
7678208e16475b242b6064645c5f98ec814b503b9652c5f08a2b1c57a1b2b3ae3895b35369f8844dfc56b3a7a3c0115b11e398c76543f3f030a0be51c693739d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
55d9be7835e9afe174094564a977a0f5

SHA1
7b5aaf2edebac1f0410d7a142a93ab701875559b

SHA256
6848e47b93ecb0bf9bc02ec11115f4382cd890cbecae5c1bc299dca1409cc229

SHA512
1265f0140dc7d5ed416e424657db62c6c6508b036e2a557e924eedf0d31c2abbca8abb0aec639c4fa91ea34c6109a674cf47d2db500e9511a243646b7e1c4988

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d3576aff27c3d4b63421c4e9d74fcb21

SHA1
fac5dafe3dcc772a3bb367df47f2ee20f10502c1

SHA256
a5b69720e250ee67aab52ae15d4338ac1357d26501d7b7dd8b1533d9358c8382

SHA512
c65ba9d279f20a0376650ca0f3b862f2f47d565ecc7596c86c6a0661c2e2a2cd9fa3b1fd9675d291f96ddbb3df439c8db2f4ec90cbafd692abff9ed98c19ccb1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
835959854afaae6aa445bb579443946f

SHA1
99a7baba9ba77b655e2518019bfd74cf9e073763

SHA256
31901e312b3b8e524ecffd07123a86030738340fbc5bbcdc0bef2f08e7ec08fd

SHA512
58a156b8916809f6f5d8e0211bc412cc2229db8c935aacd80167a4f8153ba910cbdd1caa250ffb29c4b489af8c2366118061189c605b35940126500d179fd3e5

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
601ce98594cb048da25e0b4efb0edeb7

SHA1
587a7a3be81c21b51512626d237ab7cf1e9ae91a

SHA256
0744454b4a87af4a09d4ec4c7457bf99cd1da888d42ec178aee24ba1797bd762

SHA512
b36ea0ebd97ca1bdd6d3a4028ef8250db040455284355bb9b7294a3a498e647f77c2c8684368fea506ad285729b5692b882429c205a6944247a4b8c71576e646

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1f3363567f87d232ce5cffa0b8ecf332

SHA1
d3e76784fa232229e23dd6eb8d6d11d2c9eb70ed

SHA256
3356131e2032da96652a7372c7401d91169450728f26a56893536af03faa8267

SHA512
fa0820b5c8e80420cf4fd6e38ea1f8196ff6dac42fd3a09f2360d39a0ac6b0489d0b670b16cc04947e0a8efa70586e26ab8b6a31f177ccd0f1d07ac63282a8be

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
223feb2ed1ab26b621e836941cd186d5

SHA1
e2d054ffec7dc33d59057e6bf9f6b2f04098d0a8

SHA256
0686a871e888f87967a8a10b8b4bb6d2b026caf36ae358850bb157763f2c9e71

SHA512
5da870931b15b8b834b790a17ea1afa62aecc2e40fbdb25b71d7fb37f2455f4f2cbf67d04edf3f4938c62970c39cdbea0409ab3e8f5a09052ae171183572c0cf

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
ea98821fae01df58b8b30f32a171da08

SHA1
f1fa952b080c886096db02ec5ed03975338a9139

SHA256
c1a44c7692af18a09aced267d3c97d7b25f5e668d4d30a01b903f354f5c67e53

SHA512
aef9b29a37c545aae5354cc6b5bc4532f7a1c3b6f6d8fe092dca6c024e0b1b4bd44946b9013a0c6a273c7fef6b8b914f340a89e41e6e02e5b5848781dc5826c5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
21c6f89e8886ac10ab1e96441f34298c

SHA1
e5ad606c7ba0fa160dc3c8bf0cb1fcb8ae00f9f3

SHA256
6a713c3d230ebe07065f68364e24d63ea1c1c402857178d6d4298d0cd22999f9

SHA512
36fbf85a630be920353ed40a5ca70bee6925a39e759bfd833ca6c5c2d9c5215da705cbae39b40931d8774c1936790fccf8bd83eda7b8a4c764fec2d3d1007dbc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
11cf56567a76b6789d85611438f6be2b

SHA1
b8919472a5208b16d9c7c520d8e275b0c97de8c2

SHA256
de12d7e3a069c42e418576bdaf9dc0cfd68cd09df1d195760e4d0f102681bc1f

SHA512
16dcd0689bc14ea6677d3febde4643c5ecbd50d064ad8ab0d7c89ab708da44f31a332ff488c6f7782c83b6812e3e7efc77d15ff07b46cd024063a39014def85c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
60be8ad1c83373746d8dd5c32eee9afb

SHA1
1b51f2c195be3f43b8fa1456f6b567639e4275db

SHA256
972da2d299656c60737fc6bd58346c308fb710fbf5ba76e98d64aac07c74e1f3

SHA512
68a9ce12cdfbaf5a356c2c2d40c009831ed32b68a54bd456de81043e2227391c85724026061110168c5d715c13dbad5683d401b28cbcfa7d859adf9af1be8c01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
0282df9e808e25b3424953dc611edaf1

SHA1
017de5130238b8e39ae216af8bb2acba4d076354

SHA256
fca629d84c9ada940dd28d4148bfe0e20a0fe46ccd022160e58510313a857614

SHA512
a3e60898416ccf4152cab1a586e77c6f5a808b84780936f8ce5a0a7d0b1a4a75cea6a1d554608371e2ef566bfbc140f14c1c660aa427b02bb81cdaa7e5f92872

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5e58311a2d903b29a202d85a51d91dcc

SHA1
eaafc30348922f749284889560d58b3a4269013d

SHA256
f733e884a54da0a866406439fe3992fd9d51a0d2ccd5735da4083330fcd4469b

SHA512
b96e08c1b54b98950b1602cb956f08737974451afc1819efe760c07ddf8e19aa2f6ab96d5ce24a15fbb7fa097334b0eb66de623359a25c3a34f093ab3d127ce8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a33a4efa8dcbb26aff0209b13e169e90

SHA1
41ec36fd490b8417b2d5ae181ef3b54158097b7e

SHA256
a72e1116d91603e54f150662b810456e50a98ed1cb7c58c26c164f368e5de583

SHA512
8d45b956dcf66a060a6e4a71ee0af8d9b170828b4443c1c57f1edc3a9b25ab33e83b297b02c2fe452572d8c05f80315c266d59bac692488bceab781d2284ac3e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
28a9c3689e92a4a6b8e8821ec868a4d9

SHA1
24e82f2bfb5f9bd5ca82339759c69515b85d5afc

SHA256
912c4883c20fdf8709564133320e47508a799904699243278b8798b7bb30826d

SHA512
af7d3406129ebdd00e0b6315ff12d7cf4dc0ab185cbb0e0cf23473dd33a72b0003bc9564b0fe5de428fcf3471587a050e6421ee21e670b818b3c3c497be7dd51

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7bb66b1d2717277ac98091edf9feedb0

SHA1
8a937fcc90755d5644e09541b28a4ebc891db8f9

SHA256
15b81100fc147e74f185a5725996c838428a2537cfff5b181f1dd57a062f7a22

SHA512
564994661b75656b550c95688276d38763f66d4f876d3460d5c644993ac0bffcff6c8100c42347fa762d09454c80ceb39644a2b458602ae992d72599f6875cd7

Download Submit
memory/368-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/368-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/840-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/840-493-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/944-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/944-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1244-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1244-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1244-128-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1244-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1244-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1300-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1300-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1484-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1484-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1576-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1724-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1724-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1800-547-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1800-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2884-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2884-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2884-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2888-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2888-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3028-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3028-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3060-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3060-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3060-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-45-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3168-60-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3168-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3168-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3204-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3204-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3456-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3456-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3456-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3764-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3764-548-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4124-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4124-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4124-92-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4292-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4292-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4572-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4572-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4784-0-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4784-90-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4784-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4784-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/5064-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5064-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5064-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5064-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5076-85-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5076-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5076-76-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5076-82-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download