60926f5c79ca809f8d2bfb975ce78cb5ad37cf99b465f5239e4016ab3beb0cc2

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Size

1.8MB
MD5

fe10a37bcd9b12533ac7fd9351b841df
SHA1

e61e0e0b027ec3951e289d9f0e190124bce3b74f
SHA256

60926f5c79ca809f8d2bfb975ce78cb5ad37cf99b465f5239e4016ab3beb0cc2
SHA512

4ce4b8caa091df0d4c351abad5e5460f7778fdcdb629e56103e61e6e84d13da64c09636670b56a1aa3f348d1b322d04b4fe20f31caa7ca06b0973bf07f9cfb9e
SSDEEP

49152:eE19+ApwXk1QE1RzsEQPaxHNRisGcnlQHPxi:j93wXmoKJnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2928	alg.exe
2884	DiagnosticsHub.StandardCollector.Service.exe
2420	fxssvc.exe
2456	elevation_service.exe
2356	elevation_service.exe
1840	maintenanceservice.exe
4512	msdtc.exe
2832	OSE.EXE
4692	PerceptionSimulationService.exe
3588	perfhost.exe
1844	locator.exe
2056	SensorDataService.exe
2300	snmptrap.exe
3888	spectrum.exe
2040	ssh-agent.exe
1296	TieringEngineService.exe
3504	AgentService.exe
4176	vds.exe
1072	vssvc.exe
2392	wbengine.exe
4288	WmiApSrv.exe
3028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\59afa560aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003909bf6b6799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcdc36b6799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c59ae6b6799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007b3106e6799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057182f6c6799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

pid	process
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeAuditPrivilege	2420	fxssvc.exe
Token: SeRestorePrivilege	1296	TieringEngineService.exe
Token: SeManageVolumePrivilege	1296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3504	AgentService.exe
Token: SeBackupPrivilege	1072	vssvc.exe
Token: SeRestorePrivilege	1072	vssvc.exe
Token: SeAuditPrivilege	1072	vssvc.exe
Token: SeBackupPrivilege	2392	wbengine.exe
Token: SeRestorePrivilege	2392	wbengine.exe
Token: SeSecurityPrivilege	2392	wbengine.exe
Token: 33	3028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeDebugPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeDebugPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeDebugPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeDebugPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeDebugPrivilege	1916	2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
Token: SeDebugPrivilege	2928	alg.exe
Token: SeDebugPrivilege	2928	alg.exe
Token: SeDebugPrivilege	2928	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3028 wrote to memory of 2672	3028	SearchIndexer.exe	SearchProtocolHost.exe
PID 3028 wrote to memory of 2672	3028	SearchIndexer.exe	SearchProtocolHost.exe
PID 3028 wrote to memory of 3792	3028	SearchIndexer.exe	SearchFilterHost.exe
PID 3028 wrote to memory of 3792	3028	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_fe10a37bcd9b12533ac7fd9351b841df_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1b23d3fd8cd0c7d7f86b79132601b6fb

SHA1
ec2c53ea9b0927de02a5c756708925ba5a380445

SHA256
4163109adb7622d217214ea553ded62783622b544d13eaac6e0df3d3b94640bf

SHA512
7b14c561143eba29ff035900e7eef0abca0f6f16e767bbee1d440df1c5e5d42c2e2b10bef11884d8b9ee3c3b2fac2eadd336b354be808ead0c980d1cfad7332d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b83d70c7bfb8e8a6e4ce0b13de9bb393

SHA1
9e889a3c71d961179b3b8993fc6c978f03843560

SHA256
a1dd381b46cceea3b5e58500c879fece71ec1167d509d6b1936fce3c1cc15ea8

SHA512
968aa363189fea00e5886cd2fb85f4672feab9c936ce025e1ddc6644f46c835e0c0592d1c11c73026abc23fa01a86408ef36768071a6b98b66e90d9d762a858e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
876249c1582c374c76ec76d6d6149956

SHA1
90c08b24fddcc3402849bb3e51b0e5da9a220684

SHA256
1461b34f32f37e012d722b1ca2bce2f31aa8a64f45c2335b802a210a9b6a1c24

SHA512
55ae9f5072b98b4de8e2352e536dc6f5adb928135e9dc0f63f103b82f818cd77e73a0ad3daecde1392376d2989db9335a8cf1a77e6cf2d1cfac5d6df25b85306

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
29ad658101d565351691a82b3f84ec5a

SHA1
5cfb8001280f60a24f8154a3da5e3f5d42810d3f

SHA256
b4290317bcc7d68383569549fbfae06f408244bb8393439c9231e5e1d3adbb32

SHA512
f3a3d7085fe8a5396c77854c117be0792f76614d78e0307cf83fa344c4d95311edc7e2e8d4030b42cf6047a826a87c8fad2720ad36447e20bd1796c93c3e0e79

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b8b6252d6b4e2a21f3cfa8deb6156e55

SHA1
8218e412754dfea79a2a18603550514d4722072c

SHA256
bfc213c2b923fcc1d8bb4ce2e6d82945604ad4bb1d60342e86b1a8ea1c2586e0

SHA512
7b98b56a03a34cf65ebc27daa5eafbfffea93c42954f1a667568bfb661c3f5b3de491a9e2e0de5e98bd363e195b08fb963b95f445b4a59c60f532b324d0f3dbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a72896b0ba35c9a93d7a33e9e844848d

SHA1
f5e02b6fe79894ec509a857d23fb913997429466

SHA256
c77554517c0e7f7fe7589429b5354a7651a6c9ac879c2e732cf6e1459b110ddc

SHA512
5b4f47d4cf0f4f858af33a6774b8476e87bc7349a3fad3e29581384f8d50297212447234e345c5b58fec7287f73ffee73d213a638b7466506e672e82f3693396

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d96b449bc99c8c9f89f18fce6b833986

SHA1
8e40b8f6bfd8a116a8cfa763e01b42823ec02cad

SHA256
3bdcc84ac21cb9124ce55565319d0c4472de37e2235434103f58e61fffe6bcb9

SHA512
810866d41253f5b299effd6d11b7d593b0e8f227b8f67a883284e457d3c95e7afdf8fa8c6d9ca0d91920c7c523813e74421b22ff3d0a733edd1b20961af4e955

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
16350bc2e24e578c4b548fa9b9a31520

SHA1
c98c66bcacca91e675f46def47ab74c294e73224

SHA256
acf51dd76bc986070df370bfe1251c59ae498a5d7df5a8fd953bd7884b459dbf

SHA512
0f39f10d57aa05901df720de5c5eec859e6c6a47426cd9c7d2c211b3ba9d982ab757de7f9478e95abf0103f4987f6943e6f43e75eab0882fd7aa71a302fdd1d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f93bf5f0777e4c548ee2f63c9d0660a0

SHA1
a5c98517b9a3ae86a7ef7adce522457ba5a13b16

SHA256
3c50a2703029f7c0df0341fa7c133561836fc829e9f5de833978bc57ec5f93ca

SHA512
f20d65860e108705be5b13b8c407b5e1ab29fca8558e13a686b16b4036baa8bde555010008e5183ac1cc3dc2ae75804af0804c48223009191851fe7f1c275d57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0f933b951512e0d289acf2e771028056

SHA1
57d79e7cab497dfd683d36160e7052e03eb3e4d4

SHA256
84efc2901951edb10aa39ef09662df00091438a0984f437e773e7a2671c75fc1

SHA512
5fa5f324f59b5b09473e4613389fed8245b717202dcb9413f1511774311f9fd4dc952668326e97c4534e8280128b494269359a4328ab68c35558ca376e659352

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5b3ffee9f2c4ae3e6cb5ddc68e026a7e

SHA1
ec84adff58982223a14d6d6afda8f728c46c44a2

SHA256
e4e1676f34bda099ed6cdd065e0112d0508a6295da6072b471a65ec52a9ee3e1

SHA512
dfd189fd163522d94b65a0f42b46b47a2a3db35ddb4bbc8d5586f35c736029b760fb371a493853611d8d24cc7417b97ebff06a4c1b64b1153724e2da749c686b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eaf14db290a0c9a5faf64c94da64a611

SHA1
ad728ae6af83907630ff19ef64b7a463dd7ceab9

SHA256
a419fa44d813d3536f219d37ec8294c723f263f57a4bba623ecbb2763939e205

SHA512
674d87d77a4d6a9628e092a62e2e52d6165f8ccc17ef2040947eda6e8a565e9e4b09fac6d1af9bd3a1c2014e1dcd3341f79334db928b4f82c9d92e2ea5cfadc7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a98367dbf41c17af5270adb967364265

SHA1
4b3c9581fd4c8031bac5106bfb67ef79c7442483

SHA256
30c5a76bac716f5c9f64e9ff1e1a5b1591a3f5ce1ab7d47b1cf28d63f2583dad

SHA512
4f2e6beb4519bea9e4c50eeb2b51289d74c3c0b6510296f97f3f1db32a2f22bc80a37ce7fcca030da63ad639a34672c1cfc46fb0b2a676e55bcc92012c5730c4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
c7980b5fa756adb377f0b2b64d93636c

SHA1
89a3c9434915f59090e55ac9fc5777391beebe97

SHA256
cc547c48aa7d8a6559ff71302834ad9ae73ca68121bb9351b40f1027cafe501f

SHA512
c26e1f3e2e80a6658a2956e431d78bed9af156a983f027ef21eca1cb31debd3515d97cf9553c03c09342c2c7229bd373f142f2d8060499abaf703018d3cd6f6a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
45f5bc36499c4a538743a2566d92f9cf

SHA1
db8be0d3422b7dc0c7b503db3dad066708999409

SHA256
66294583c73df973cbb50542e619985c428db78efb011f0a6929cd2c0dbd75f2

SHA512
89637500ca39fed842616e87d4b4ef9d0d8a44627b4cc9c5cb1bef30075fdc93e1f437d7a46e64bb55be70ea46fd2ac8895da00462ab2fa18e458b18a987eda0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
a26f6761553c65089153f94768d634d3

SHA1
8423089826721b5fc9cf26cc79a6fb0e3b4de9a8

SHA256
43175103b17ae924d39aa76fe4c38403d6f19ba0b6022f207f4ca6c1dfeb0e28

SHA512
056037865304d0f475c670e6b7460fcd78c95959c2f2e2d61b48bd4b3b1f1724a6d6795d98f7d06f9527d99ad724cfb5f1ebeb71bd07e8c85abdf70fd179e435

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
972a7be5c4fdd0c09a3575854097ca44

SHA1
26989b7746241cd7e1906207f503fc7407d04aff

SHA256
d85acd2b0ed34073378c5dab0df74d055dcd3e54a1bb195fca51b914bf328989

SHA512
04c0649ea439eec2e2fb2ec0a150580658cbda113f2d065dd88bdd226d98471f49ef9bd50ef92872e9383e8637b8d533e67bd01626e22f88385f09cdc29183f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
97a20c7a495f8b227899e7825092581d

SHA1
675b493e59090edbe3a1d2b43136330d5850d009

SHA256
2275da5bf5dc53c17519404fd8e9e43647ce0a7389b6b388cf4f18132e26d318

SHA512
4fa9f3fbddf9c93ebd89601523fdcb7950d07432970b46d005db9151d92a42e34fb052cf92ca99d3f793f747cfece54b3771bae6eabedec4ef353960310cf9e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
44c668e3f7b4018f5fd3463da273a12b

SHA1
fd612d66538d8e779d4f8dfbce120779c315d4f6

SHA256
358cfc967378b948e1fbced476d82107da67b4a02f119be563aa2ef6216e8b14

SHA512
a6c79a3f111157169d73e6636fbb1f7d10077a67915bb940723ffbb309545114a5056929ea965e8e589e49f45d28c769c9ea569ecb1f289c1c3243525c8e0ff3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ec41003febb3f87dfaee25eb175875a4

SHA1
5b2746b3a2ca361c06e09adcd0887ddd614d03d6

SHA256
023d976098bb0460de1466bbf76496791ee05f3c0a2229b39656d46844687428

SHA512
db32c18e7d698f0b15cd163602f5d7af19e04144dd3114e2ba6668b561bc4149e637de7c32e7114d098f47056e9d63d3b437c61b0278401e6145c47bac79d75a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f39932afc285ae98ae99873126ef3d43

SHA1
2b3d29e7c0cf272cf73a77de9267bbea9728bd72

SHA256
e94fccab8f9e3e003fdd9b43abab988401b54543365fd17a0069263ba6f64da9

SHA512
071fb378e1d09d1e6822860a42a1eefb700745740baa2f13ab1dbf3b0c990653abaacfccbafa57d66470585f918496ce6f99f4bffcce2983aeb835f53bb5947a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
24657118793393ed15d4c46308f9166b

SHA1
78028dfc22c0ed3e1231af5b980ff2b9168de7c7

SHA256
b5387dad522959d2db919d0872e1eefeaef2d8cad096bacecd7d7fd1784608a5

SHA512
61091755845ae0b41d83b37f7ccc068323b82aee355fe1f37051c65576bb23981cbfc4af2c19a94352bff14f83cd378b2635026fe68b4593a091f5a40efef987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a92e0635091885e8e73e6b880472e9ba

SHA1
314ad47e9be764c22cd42147ff1330fdd66738df

SHA256
2a4d71f1a143b7d30eba14c249a4b5ef748de729b3d18d1e3482ebab55b62443

SHA512
6df850f0d043531818cc5e2ec26bf959b06cb79e16a02271dff5ed2d12b49160ad03cb89c3a9f7906c095c7fb68f9ba8e5e8dfb2aba2ffc7fd9b9fd7e799381f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
29440ee51a32e70b42623198b0637976

SHA1
f724a2a5ec69522debf1969016f78a8fa56d00e5

SHA256
633ae029822f1f9f436a4d93447d1af0b9de634783ff1b04eff6ea1ce13e83b4

SHA512
705456796cbedba52a927ede8c35a7c12cf019f8e1b078baa4aaab25d1fec9657c66bce9714ceb1eaef51a8f68e1fcd33036dfc063fa0279817dec9f7988c263

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e45069002d88e7bb2e4b2413e46d0c28

SHA1
e087231b4c719f5b5fe10a6ff5cb50dd7fd58bdc

SHA256
c5d447a229a5234c121d9a278c3bd57e16c3ecf046f141f3b679af01d0b4c60a

SHA512
3e63e2612d196fbfbef550629411472a6bd30cfa6f08f6566eba419fd4243d05d4473945237552543753b198a33c9e2a4e514d94807b095e528cb5a10c4121eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
98a7f8eeabc468c702699de440a1b216

SHA1
efbcc56ed20d32aea519beee6157a25b856119eb

SHA256
468d3bf0c0ed53ea06fca7e1aaddb32485504137b4a372777ed965f5f71fe6c8

SHA512
8cf8e60e91c332623e9590e72375b1355f5d9c2d699499060eea5e185dd41983b724cb715d4d35d591ec70e22385c5ede67219a519b0610a6fd3a6a5adaf4c92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5b5b3e2e829e53c9bff44067dae7c762

SHA1
4c136538700ce58c09da2189af251f0af2aec33b

SHA256
dfa9ffdfbdc72922d63ae2e8f92d7d2c7dc06bb5cd06e0af74c5e0a7e5a8ff3e

SHA512
d330a4cd16cc7c590c120b65f93f01371e52f11a994447ce09beae3775d65aacf17738e97a4c7a4ca89121600298bfa78c17649fadd863760e799a61fe0a4794

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
398d7c74c7635649d11d8007982eb2e5

SHA1
2d7fe1a2cfcc77a7726445e8765ae1194b085f01

SHA256
75c9976aeee9422ff9ef39ff98e717613a6075de8b034757abb993a0d8a12f15

SHA512
23088cda91f6122dc440453eb049749a5bbe7638c08be95f6477fb8493d8622032d738de675ff008ebd81292eb3955dcc356eb859c12fea6dde94061e6af8892

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
55aa48aea6e058003e359882c60b09a0

SHA1
b7a8474f74fd0a1fa7899cf19d3a871a73d479ff

SHA256
fcbe9a565fff875d165c640dc92ef363623577213a492af39427bb3ed53a20b7

SHA512
fa67dc904a7ae0c705f66dee28ff7b6389fd9c238c8e5889fa69e3f55d99cc48c17b26ab3f277319011bad21c685e8dd0a2934f6ef8a3ee0b7e9d300da27fb28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
16a4dade863dc238bce8203917e8e800

SHA1
cee094b0c9e054536e9ff050fac9d4fabfd1395e

SHA256
2bab3e44f226a627c446645f700f4c6a2c21debe91a82dbe7635176adc0da916

SHA512
a4b6cbe911e5abd0ceaa78ebe32dd13fdecc73c9ac8e175f307d7e1a695b40f7add7f075ca452c8e5df6249ff26f1f8ca1658b5c6b0bce91786627aa9598f6e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f0cb6c99ce1a9bf6425d1badd9a2e719

SHA1
7ff8deb9981da09b451ba3f6e21e4ac6454221c1

SHA256
5d571c8d9d10a8ea3a9672633a51ff21cb14318971918891a305ec3479cd7472

SHA512
4e2dfff77978ef3313ae1aa71656b3289b28af814051ba484edc490cea6d2d7c927d8c6846ab4c44f2ba7206de076024cb0a85436e71bec6d0aba1909da42330

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
28579f73cf5cbbdf847e5c7d557a3f85

SHA1
1f684a5dbda2f3357280069b3a7464c82c9522a9

SHA256
e04ff15f868d6c55b4d929abd9b058a92e4b1f0552f83394eb99dcd94bd2834d

SHA512
a5fa5c2068d5e7d368638e54701f9a969b31f93cdf7ca39f806cac9dcd09122b1f6b11ba97de97a11ff6fb2f2205d097b355acddec3211a3c38f48bff8f4e3fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
477c1e267922154c379441b15403c237

SHA1
8be6a11005c97ffb057b3ac04a4b4126abb189e9

SHA256
b9797f197df52de882b7c529e47da46ca82affefcf65efaa0007fbe12407d88d

SHA512
54b98c1899adbb4cbb0e62e7a5ea3c2925a438714cbf213b326422ce26fe462a2e9edf42c54e9728dcf1a5b5fc6ce0d430b8fb5a27274a46d13ac8375fec9621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
21cd8754b9a2bd9c53d87ca0b5cde330

SHA1
ae28772110b0fc85d1add37724769161b6fc602a

SHA256
d484c397b3ce651ac79f5e3416e28179e67029b92fc3c41545cce61f13e52b99

SHA512
e996f5f9f3bf13e36bff0a1ecadc39183e3be4ba1608f7228899399e3423aed5474cdd8688b18ce7406a074b4796f9605b2849e7c7544046a09e3af979173404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3572e0989b3481b9e73e850c6f5a4c60

SHA1
54d607e7c782d666a8285b9151a3867c4bed7bbd

SHA256
9fc3bad11ec062fd1e801d7cafa5a472414f4a3f7b9591b2d309412af888ec66

SHA512
5d7400a21e721b5d851e2e86fbe969b450b1b3a63a6d8fcea7bd2a8e3f813fa2e85a5041c20ce09d86c0a2b97aef3bbfec1bf6cb6e1fd8bcad093e8dd4a54bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
14b08c48d6e458f60289db956007975b

SHA1
bb4ea0efc31d5e7cf86f8574c1097f9103b1cf31

SHA256
9250a82e892de9ca2abf4a7bf20ff23de4fc2c833d4215d44cf5423582a92546

SHA512
b286db208a31e918233903718738cc13fdab9d311b185c5f3d177c5da0ceb593f9ec30bf04e584e9de3b959b49a836cc18790dc7e160573e37396749053504d3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d0a3768fc9fd7b1c2c86ddbc0fcbe0fb

SHA1
c6b054cefaccd62ea54b0af8e921043449f2d87b

SHA256
14c69764a7d65256be8cc05dea60a4e8647749c1b96403ef5f0f8d9f9656d63c

SHA512
3053f0b6a87c5a9429e4fe041309834976554a4009d1b85b97a986b9c7eee8195cf30bcc3dd178b59c96854b77c617bd17a90d1989ecd8d23108fa9a7cdfa83e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
563ac7c32b19bfc1b0049b3f40de13e3

SHA1
afbc97290981fe5dcfdc099536870bf7dacade65

SHA256
d7002c192c6b9e96feebf1528aa8a7341f6dac4e7dc9a42aee9359f7a411ca50

SHA512
84100a5408eefe3eec1e9e3171bdae4e879554719682ec82f4b8921c9743f78ea3901073fe594ad45e6196764d2ec6ecef7c70e5f56744df1fc0a262665dcc46

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c7f54c8ef5e350d828965ee6cce69623

SHA1
4c0058279f27b3217eed5828ede3eca550a03bc3

SHA256
8a287575b58abe91c204bbd78427024a1ece896cd021b5123f4331048dd80dc8

SHA512
0820bc53b0138172643f5b0310bbb58704321e7fd52d4a28b7c63e3f7d0a30eb2fd9be438854290eecb3972702a627f94709ad84c143411618859b3e2a952796

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c85475a6e034abad0bb1db45594150d2

SHA1
cec46e25578eee07b70b0073c01c1ce92b56116d

SHA256
da37f5526530fe7aabcc1f1b7ebb28b044328751f937445fb1c2dd5148c7e3bc

SHA512
757da54f3f3f451c6ebaf0edfc2c5eec8b83d249a0152a33f6029895b6a5d0267380e1e21d3f7e3a82eb273c28f553d1884bf8b5a8e2873016dab86e9ecdae8b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
7d8132176445ba146647d1ac2cf47d65

SHA1
545f03e72a17519197c5fde94ac0eed32a3b7cc1

SHA256
d71b2a4277fb07ba9a6b053e3912426207976e94e1d88b10ca5ec67a691e81d2

SHA512
5a1fed6e1373c0c4081f54f6c148e864ec20707fdfc2eefa827de3b25a2d7a20932cd7ab89ce9e192d8c0282831299fbc67566822318d7efd652441b6dc771d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
145ee15f01e90319a111b9979467c186

SHA1
e3962d42e8046e0bfc80d10a81ef44a9fc6ac00b

SHA256
54ed12a8176e3f4f6beb8c5bb8b6b43994e176cedc904cdd867ff8dd1c66418b

SHA512
f14d78b6cc255a16658099f99e4cf176e344913e372a6a3fe21c5dfaa5142acffed36943a1bbe2c8e131612ea5b25700d5bb3aa2ba93e95adda985610256354d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
29273b48fea42eaf0bb8981b4c2116fe

SHA1
ce95056b3bcb49d471c2c47217b0bf5d1b5f77f5

SHA256
aec879b02a103862fbb361fe1709e7b5a744c721d13b3a7db9a4c8b638f49c30

SHA512
37f780ea5cd358cf48b5855d5334f47a4466b134c001e0ebdb98b7c560d57e42b2e543ece359ba7bb81e0be9a254ed4d77d227bf16491fe9a9a75e9d0a760577

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e03e417a4ef056e9af9dd96a7261158f

SHA1
e57992daf292e991dcf21f8b97e8a68912165d1e

SHA256
ff8b5c42469c77e281bfdb348d613003a8992fdeff060ecdbd8c45dccebfbd7f

SHA512
e805e6331646c55dfbcb80749843bdde90657904ad4262ff54974cb25008992dbd527f3310d6cc25ad80bca2dc2ba26f7063d9947b28f8dba6db178971ff97fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
d0cf2e776ce3707068be82aac79b2ebb

SHA1
d214fe07a69612f991414f8f29bee10acff95ddd

SHA256
a3bd054a1f3a377679a08721066707e2891cd5451806616417945b6950090e0f

SHA512
fa4925a1af40506fe8ed1536a6f787deb603462cf525945fac89c2e7a27171ed71c3982c04b5e09eb95f316eb46e1626203db91a1103318cadaf70f3c343b286

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fac2edd0acdebb9caeb923c25f0b64ab

SHA1
1c0a651aed0e0e8b426120504c02080cab032915

SHA256
82a604de88ce7d795987e461fa5b22ffb68afa086a0bd7cafd43b46056fddfba

SHA512
ba6e37513ac6d26079b82f6d86154ddf0c3f75ed1c4cbeeac8adcd24d7ee2f71f8de633700695497d074429fb4069bfff3b0f86195fafc909461e31450beef21

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf0367c38c86d1104e84f7c4310ab441

SHA1
2fa002205319b8f2dae7cc3de0b919efb88ae3b5

SHA256
99936bca9cf73d6bf6764ec4583e453feb24a69b1bda8f18cef764211a9a43f1

SHA512
3d17639a6f7b5f5fa2ba3c3c2170182efb2293df3be928d6749f78ba6d9fdaa3632186dc05b5572c1aa6655058181bde83f98f49f18379c889cd2e60fcb174b0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
00338a8bbc6ed1476d26b5f52558d58f

SHA1
a27b9bbb1d01a655f6b45263d251384a68a710b9

SHA256
3f5f432d6e3d6dec792a9685e34e72715bd0d82b904ace706a1f5d3a2cf6615d

SHA512
b1177b1f42260c5e15a46e1d7c2859a907b5a6fc4820cacf7d98830345eef8bc66d17dc308b56b43ff85909ca1c4d261ad93a824c9c2d4f366a48beaa4652a6c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e9eb41aea3d3b0b2ba14fbb6f4ed4d83

SHA1
68be742b73e639863dd050f70eda8a5c7224d8ba

SHA256
0a6a37fabbd16a2938724cb742a80eb993a6fa6bbab418253b8971df5cf6a3c1

SHA512
d80eb3ae023b90ba05f316b15c200188dcfedb79db8f1875968158efc83de58e57bae462283312e1250a092010d5daafac366c8e382ecba0b415c01308fb680a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ac15e6b6574ccff7bdde2a1cf132906a

SHA1
9a23b8530e0fea65a9e95147fa1e6a94f2369395

SHA256
701661b1af0b7990b8f491b1bc8ce94d9619a3de917946f620056f5dd3bef58d

SHA512
4a992158d9eb8a58571cd04ec26b8d41590873c490371227d4fb33e93e59a3d030b2fa88810b53d5222e0bb853e03db391ccde38d3a50b9db88ed35c068fa020

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
6ba9fe4fb2a64f099cd94ea498f996ec

SHA1
6999d66be7017b07328444bfebde369ce92b76d8

SHA256
81a687d518a30ab13dcb4d65e0df8c431afe108a0092b4349e339acc91451b9d

SHA512
3dab20ee70c883d4cee0f6af7573c81f5a8e0888e1571ae0318f163868db951611f3e634403fc83eb35923b1f749c50275892020d33324498f8a0cdf2ebde335

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5444b1a8df15f55ec61691ac4cd5aa93

SHA1
a1089323165f8c3256beea9014b22afbed12ea16

SHA256
94f4993535bceea1e4667826b8a6c70a9d836496120538c86f3039a15234c57e

SHA512
611e1bed04ef87abab375405a5af3055dd8145a008644112159eddd2c31be91cec71c63c31235c6212ce861f1c5ffb7c0a6e2ebc31bc1c07f187b97b886f9884

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c53f2e87d5d894993668dcd7fa546355

SHA1
42ddce2364e42acda4a56a56a8c30664d5208870

SHA256
f4eb7c05d9262e7a112c315464df048250dce0d017ac057fad6950c230a1e420

SHA512
481a3e8e477b012194cdd1d2b7aeb272cf6d1bf77209a7b2e496bad701980d50088e07ac3047f702b62a02ec7826341e2597aab1d025056d5868be7536e9d442

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
945d820eed4f917e9a3dbdd88d7359db

SHA1
e10b0ca504b37477c4538963a064244c82a08874

SHA256
66a6a4b23f8e13549dad897803d4d1dda247ff42e01fc1d3ded14354f3daffc5

SHA512
d2ebe4a62d9658f1d36999ceb2d4ebf93a0d75ccf067f834c42d780d6bb38fd25f73e8c78e08365060055e6fd7442d1dbd8cd41278a517daaa62c78d817b26a3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
084dfcd2bbac3e2199f0e9ad57d4e338

SHA1
38cc8e35c997f10b3983471a70a5846e68c7d256

SHA256
340e7c107a2322a461fd47d335ee73b2eddce6ed5869e6039e24e876d8d2af26

SHA512
bb971f2336c7553943b35f3816afb1bf9042cf66df298c599722706f017988112a8c6a25190d3dba552cac80fab46eba855de383a198f339b2c7b7e2cfdbee9e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8f1b3e87514c1079bdf38f09faf7be84

SHA1
416e9eda26b113aa81e0c9cc79be63bbca656edf

SHA256
86efd87833dcadae5da65704389673c97509e09d7dfb53bb38b95f23cda8447f

SHA512
2a0c8d2d939b8e01e057bb05dc2458ebc8cfea111bfaf171e2776da066b3955814dccd274c76bec6645468c44c8f1dd4a8f16409909890ca551d07abd963aa72

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8acaef2eef968a29e9bb4d8febe84f34

SHA1
b4594a23db7b3a333ebffe49b62ca4d552d925d2

SHA256
67d7df402931fb5578cf6a5f2492d200f9217500fa9256a232be0fbcfd367188

SHA512
9eb4e3bbbc4aa859e9fe7bf765f5f03c327ccdc8614411967ab074e85d33cf96859f98bb9b03c1a14001353b106e1da1b6e3d337e871829b351ed2f320881c31

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
20a99825f3ea68733fff6253a5022694

SHA1
555700a2dda6970e00d4e1130d93d7ea32d61be0

SHA256
35e55353223d73f0f6bd446077fa621d1631b3b1a60a0e8196bd9954bae80230

SHA512
43314b47d4b9f1a7611de542c0ba10b101ba83698ed395ad2940357e0a9933b28f4c8bc2d488b0cf036690db8e773225103405cd3618041a96cd55f6dffde932

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a5bad41d441e9a3486873832aeb70410

SHA1
6903480422354f03f28fb397448c6b7dff9b755f

SHA256
e924f23c27bcf6429101526a2c4bebad7b38b0250a21eee1f3300cd6810f38f4

SHA512
d13c71ebd19f2ec2c4ced4bb40b47952c379f4c3a6ca049ef43b6c93a050987398e01fc90b3392c95d8133de0ce6c953a3286596820938f92be4dabad4d63c14

Download Submit
memory/1072-550-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1072-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1296-196-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1296-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1840-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1840-73-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1840-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1840-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1840-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1844-257-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1844-145-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1916-97-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1916-1-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/1916-6-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/1916-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2040-541-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2040-193-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2056-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2056-544-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2056-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-435-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2300-166-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2356-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2356-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2392-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2392-551-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2420-46-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2420-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2420-36-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2420-45-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2420-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2456-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2456-171-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2456-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2456-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2832-110-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2832-221-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2884-32-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2884-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2884-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2928-123-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2928-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2928-17-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2928-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3028-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3028-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3504-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3504-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-127-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3588-245-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3888-490-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3888-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4176-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4288-553-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4288-258-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4512-88-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4512-99-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4692-233-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4692-124-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download