01a660d65195dbe5a94c41f0dd78755b93ae321334ee69e52dae4c1bfe354b4b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Size

1.8MB
MD5

2dae7ca8ced3e7d50dee1891b023d697
SHA1

a1a036a066281bd670845836164e1ed6cd7a75a8
SHA256

01a660d65195dbe5a94c41f0dd78755b93ae321334ee69e52dae4c1bfe354b4b
SHA512

da1743be64af43fe07baed0e7a8ca75a9e8f5a393f9c6fbc2a0da87ba30d70e2c9abcb94a522c06d6cca5f87e3b78484676f39d303a576fed458acde11e7ba3a
SSDEEP

49152:4E19+ApwXk1QE1RzsEQPaxHNKblI7a8K2mFhbrr:d93wXmoK2lI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1672	alg.exe
4140	DiagnosticsHub.StandardCollector.Service.exe
3704	fxssvc.exe
5076	elevation_service.exe
2224	elevation_service.exe
1856	maintenanceservice.exe
3408	msdtc.exe
5016	OSE.EXE
1696	PerceptionSimulationService.exe
4072	perfhost.exe
5048	locator.exe
2604	SensorDataService.exe
2288	snmptrap.exe
4356	spectrum.exe
2140	ssh-agent.exe
5040	TieringEngineService.exe
3540	AgentService.exe
1856	vds.exe
3088	vssvc.exe
2640	wbengine.exe
4580	WmiApSrv.exe
2128	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a668dddc293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82cf44f9eabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8608a509eabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e262b4499eabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82cf44f9eabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ba514499eabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe

pid	process
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeAuditPrivilege	3704	fxssvc.exe
Token: SeRestorePrivilege	5040	TieringEngineService.exe
Token: SeManageVolumePrivilege	5040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3540	AgentService.exe
Token: SeBackupPrivilege	3088	vssvc.exe
Token: SeRestorePrivilege	3088	vssvc.exe
Token: SeAuditPrivilege	3088	vssvc.exe
Token: SeBackupPrivilege	2640	wbengine.exe
Token: SeRestorePrivilege	2640	wbengine.exe
Token: SeSecurityPrivilege	2640	wbengine.exe
Token: 33	2128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeDebugPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeDebugPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeDebugPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeDebugPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeDebugPrivilege	4864	2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
Token: SeDebugPrivilege	1672	alg.exe
Token: SeDebugPrivilege	1672	alg.exe
Token: SeDebugPrivilege	1672	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2128 wrote to memory of 2304	2128	SearchIndexer.exe	SearchProtocolHost.exe
PID 2128 wrote to memory of 2304	2128	SearchIndexer.exe	SearchProtocolHost.exe
PID 2128 wrote to memory of 1320	2128	SearchIndexer.exe	SearchFilterHost.exe
PID 2128 wrote to memory of 1320	2128	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2dae7ca8ced3e7d50dee1891b023d697_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1676

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2604

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2304

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1c3233b3407996ae3b261428bc47ff4f

SHA1
92d56be3b74bc6889fb7975c8d6b93334a9ec085

SHA256
2ab0167c411e702fef12664c012bed9ded382ceccf3d6157d63c585db84ef192

SHA512
e255e0ad26458f26374ea4ac0baab4978f11ed2f4ae0ed64dde6936e01cc003abdf489cb41098352e03e038e29ea36413ace81108bb1f988c2f27dd4d1aa40b2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
94d8b9a44dfcdf377bb4723f8263d915

SHA1
38f0fa9b4530cbc8b3d812c7e23d2c1a961cfbf4

SHA256
e91325a015894d95898a64d2dd908cb29e18426a9be85ae22cd9167e64726d3b

SHA512
f42b0d50863b6269293b7c1e11398a0b9dce20be03b7ed62f17f180a7f5b3e8c7576e727cf349fb4dc6381f7e46bb2cad1086cb3fab4f336c6abd20b19cd287a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b3f80515c2d0568526f596f3b0d83788

SHA1
c0e5e98452776e336318ed5b62b05ea02e37fbd2

SHA256
97bcbe8246412d8cbbb99af26d794cbd3f566c082fb26caf1417eedb630b4660

SHA512
2558c502a4de6e454f6b54a9385f22fe757ce6104d27db19e58f962a767003aa75b430141eb1c224f9a2b7102533ac39d864c6bdc9e5b2baa989e4eafd01a9d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8186cecba2c9b6aa77167d8cbef1e62c

SHA1
a4e98e80fd5297837be676b21425c45445f77ebf

SHA256
fb99edbe2ff1fcae568454b19729d82043ad6bf9f82f24f847d18b39c0347b07

SHA512
f4a9633b893770e8f9994541f90324547c9a0fdcd4fd4e5f1056eebc5430d90f08b901d4d3d516960af47fc0f76a559691df9eae14ee56b1876428d2bc06914d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a62d555e456f24af39cfdbda57f09cf3

SHA1
c3d1a116b16672d60c072d6d27bdd1e2126a53d9

SHA256
d1e13a7a9ff6f89df1d179fec6c2656640666148559eab5c3df04ba84783206f

SHA512
a2708585d5a58a05ccc63e0e6c974c7b22d576654fd1b8479d3ad64d0775e8127a6fd00c0f14c6032ca5cbd7977ca9839b6c50dad9eb70fb785a1979a60eb32a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
52113c262c4fdad781467373e6f65be3

SHA1
ab27ac2b7b66cf54b68ed74d3d736c99b2251ded

SHA256
25329838f9195f73a4ddcc72c0daca6dd05a1936e7af13dc08edba41c69f92b6

SHA512
caf5b4156d124c689ac92a9429e9b56eeb801e91986c742446625145ff5a9eb29ace2c2283b22008b12de5065f7e74c3425dd0571c7c400836bd6302b3746cca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
22ebdfdf66ed5839a9e5dc9cc86bc9c0

SHA1
6ed05e0300b5d439b37feda3586b5f3e62c65280

SHA256
b5eb45c536e3b1a551b8dbdd257f36b563af29d5879d89bec885bed23fda10b1

SHA512
18bef5d18eb6d4fc184a3566d52083873d3a093d89c92b6c78c33e5450d8a57b0ff1e5915fd1db7dec914941512c5a7882153e36b5b2a70cc8c3b8d54cf0a5f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0e5f13fefb2c57d5b8d58bd87b6374e

SHA1
05926f63a7116afdc136b1eac119840bd1c1cb47

SHA256
f3f3cfb2debd3bbbfccf4c8d75d8d3dc30de7e06dd25bd8210b1051db4d53135

SHA512
2344c01bb781916dcd922291ed18c121d3dfce25fbf3a6976cf9e90cb2e44c4cdecdccc5ace50dc57bff50d5c9e822e188f008d9e22a0c80ce868509d630156d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c975694fe13f6a6bea98814de48634e8

SHA1
8b5bec0ccc1a1d051d099f52ac18c2b5c5f2f715

SHA256
00447dd507264229df81c6e457e7517168af390f60f4b82b81c0cec0a3282c5e

SHA512
e4b879e479d561c57759833365fa1506bf0a684784437fd122d8a788d8f16cc160d47f69c8ad33aea349281776a4dcf56902d162ecd7cc91f16e9b6bbedf633b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
82b5e714c084cbae6ece8815717a2029

SHA1
338ef523355e5039e3cdad2f00f640542a18985b

SHA256
55b38f6325c7d6584e6d1a340dfee8d26e5c8169e4e6a2e1a8b4804c7de399b4

SHA512
9bbf84c5efd3bc46f0c4e8235a6fa15a0d3f836f4a5bd1a43699f1927beaa6dd6f09ec1c80444a4497f59968c0dd074619a84106a755fc35de709075441e1608

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
19db6cc16e32bf820afff4a417b60011

SHA1
f36041f9d2663a0935fe4dc8f98aa52c54274733

SHA256
fc4001efbf821e05fc3d8a0769fb620708ce606fda3c0d61ca7b6afef38ec791

SHA512
064a3ec0d7a0daf4edb2b51f533724c60d1c6ea0d0c44558e6c7468f803c4d33317540619f9ae53906fc56164fb658e5f74330a582e4b577ea9661c3e32cf050

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
94ed97af6e9b17e4d51be1770cc4ba8c

SHA1
713ae909d4538e8bd39b4164040d058e4f260b06

SHA256
2d908168f3c2ebb11ab29bde5003a35dd379400fa1a9687bd86f92adb61b823f

SHA512
9a34cab81feb191530a067572d4510b0fcba1e231725982e585179ad35dfc35eb857dc70c93cf52048008774046ad1e86f40a9eb8ad79501d56fda357951c3ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cd6dde3e2ffa30b4ce58227839c9f953

SHA1
9e0a7f16881a080f9f789ec508cfa02bd169cc26

SHA256
0874966efe113bfca6a15bb051bc99c39516aa62d24a75fcad9f6f540b860411

SHA512
150be96c73ce7a76e24d9c720ebb0d1cdc9edfbc733f0a3090b671b380680cac4f68bce53c38de0d920335ff0749937ce910a82368d75ec9556ac48bbcdfe85a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ea5aa464b9b631f11ac5de770ca65180

SHA1
4d4e16fd85267bb3cda01385f99a4e6798055226

SHA256
e1ce1526a99eacb1dbd8789bdc546286905a522a9073becf503b3dcea09be87f

SHA512
8ada477e9a15ec161fb5ece1df3282723431b32e53282b13b5ae311dae6e3edfb12cd75123d528e4d64d035a9047fe47c075d1ebdd2ce1b5af30650a8e056341

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bb4516d7cbbc6593e2d84819fb6300d2

SHA1
23859e2f360442ce51216db99f523874ba37211b

SHA256
d48a307540b998ee22b022f59dc2e4b0a771f47657de0f957cea3e3a8b179fd2

SHA512
7a0bf98ced60067ea3e056a56a314752b684c2cca4b6e76b3f70714ade501d8e976f1313874c6109eddc06f75919cbcc02673bb6b9bf6391f08b8ff1ad2ff883

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
095aeb4a141e0e70ca6407a612c6a8b6

SHA1
51acad106cadb236f46dbf07683657d5d6508a77

SHA256
25d53be92d7106947656451427862a2572946c3e352bccf5fe50c0a031abe2b7

SHA512
830087df03c708731416c561790d7f27342db81ceca343547764eaea7f72b125c4a67b3662470499ab15718028cd3f265a3654c2b3ebfbcc7b1f7f27c95d2c74

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e9a130a79c0c606490247923f5141580

SHA1
bbf39bab8b1528df4e780f7fc114d8deb959a226

SHA256
a2d82c6e8d20ca2116ec29fd42b1cd9f7ac337d33bbd105743b4e3e917254ea9

SHA512
321633cdbb57e9e251a13a97320a7a1df0caf330db9ed9b95c439a223a7ffad7983530b7aaeb7520f45d8e072d1ee4d63cd407d257d704d6f288dcfd1c4dd93a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4e20e87fce0274a09f04b2b663d10c2e

SHA1
b1c86449286bcd131c9b71cbba44bf7c6356a66d

SHA256
15af3f56cb7514caa2b8f3ba22f009506e19c75ec13cf4dc4a727e23d6311d7b

SHA512
c65f2dc7859aa866d51caae235801cd7f8af3a60ccae5979dcb13a8db71baf64a45809c689d99dd5fb7a5eac0436c469d2fa2ed1173a75d152a3db91e1f9a8c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
03851588ac36212fba3b55189839aee7

SHA1
f1f28ad1e4b0a9ad33ef73c6ae9c8ef829f922e6

SHA256
f057dbda7d6800150bc771dc291138144753de9574790c6eee04dcfab0d54b01

SHA512
9250163d6c3da8ec6a99a1af47f4b36c0ab8874f745e62a4b5464a005adfe83d1f2b079acbaee9ac3fa65e4c9b40be4cffbfe097f87b35fb1dd0459054c9d748

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e431906a69735298569693193002066a

SHA1
94d5a9fde22802cd52f0d7c8f701e9cf07122f80

SHA256
89f06a741e5d7ce0255a7bb67239f9ef1e56cbe0af805c7ede576f37337b0cc2

SHA512
c7d21f320c71192f4dc20494b4f8a6a2421c44949526b2eb4b9f36efab9883f5f98e3ebdb27d8507fc27f9dd4a7e179d9b697b9cf5db6c1d93657260715940c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f3754d3f95be19676b9261b65e6706e8

SHA1
05656502d7909f749784babdc57970003b6f0d23

SHA256
076738b04d101f378eb82d9b5d8055adf810e72dd55720d5ef8c0d8d17d68f84

SHA512
b6104df8d7e7171f5f96524db7df76ebc446f89bc4805ba1ae479fb77562d340d85d77714db81be91bd5093cc4c187b662090b794ad13c9b27066ba307d00246

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
49b04cff6d671a7dc0da7eabd90fb4a3

SHA1
aaed654ec27711882ba9c49bfc6f4ee9b61fe58e

SHA256
5dbfcbe6e3ebfeca54aaea65c41edc45d69334b58be63c47a693fb2fb935058f

SHA512
f51f0451e43b4455b7e2b35405b5096651348cbf9e97ca016f16a0f2a0a66a41e3b43e5d704119838aa4d74f077c9bbe98685f1a8052e5dbc927d523a7a73eff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f8aae012f9a21962ec97acf8a60f19f2

SHA1
b13f0de57d021fc2079a83f164a06aba636d3477

SHA256
e3a91f6bb413b3dda3e3bd0b19e5581529a2b915c52d7abfc72b3f0f539c60ad

SHA512
6f57b685c5cc36f193a4c331363f6dbb67e9ccbe9e74cfef3e14ef1c4d77eefaf59423622473537177f50df475126efb60534b03db2394df0d9a10ec7228670c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6fc050a8be631632295017c6dd5a26ee

SHA1
c5a74983cd0f2b441692cb74f964d33df82b1a73

SHA256
ca7fb5316b93cf23c6b058654220d3b5a2139a132d44a7dbc8db284a48db8306

SHA512
17b25cb3100f84a43596b609f5202af55de2fdb74e00959b9817f91296534745628437cb22708621553fa5a0d3f797feb6a05453004809ee24f67c7da77b0122

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
75a02fdf20c083a3f753b42e699b224d

SHA1
6eaff01e482c681ce19c30c561c9ce6ae89f28a4

SHA256
cde2bfb9235c14cbfa33c438009d27249e8cd08e0021217465f8cd90a23d4e4b

SHA512
3fad32d606abaeeb55188da70d60c5d90a98207c8da3f454053ded631bb0c28e66c9af8365ebd33bcbb5a8bc6ea6b0db34cbd07f3f6f8a0079221bec59b802d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
54afccb5a06a6f5147f4362c32195cff

SHA1
e22f22640e6bc44b37fffaf16dc002111cba418e

SHA256
f738cf81664d637c9e6178eac84c539f54ffacbb0c62dc00bbaef48f341d1704

SHA512
1601c7eee49c3ba0fd4bce11d88db835c05a201ea5ac5a4ab52584aa980be6d1168fcba6dc6ed86300537d5a975c81df66b68ed91cacc41f4255804c16b93895

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
de1e79cb82a95e41c640fca3ce92f64d

SHA1
adca988b50050a95b95dcbdc774e8e4d0c752acc

SHA256
c55dcc67a1e07bfb681430c84c3e238fac5fe39f0549b528f234e63989666019

SHA512
3ee6c2dcefe5878c4997599223c2fdd262d6b840ed9308f8c4a68c6f52e1debdbfd39f9d470c556456907f1620443d61f734ee40fe97e3bef9b77df86897e165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a5220981a9cbd6c776201b92bf50d447

SHA1
bb531245872adaceeb75a0251ae454a391a8070b

SHA256
10e708943ad884c41c20e6597faf804be42d03a82095b3859f640b49cb60bec9

SHA512
a6e937258d0d15f55399eb74b2e5777a7d6293b52c6c136fe349febc4a5a2977ddea66e69c2bfc6a4b8e886c4ea344d0c9187cff0b0223796069d9b1a0207967

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
dd90dbf7ae75200eb97025155b2f4eca

SHA1
ce4bb69b676fe7d84304e35aa73a61010dfde699

SHA256
8b66b79a8e5ff6e47808f40d67690dd5d4105859d894c4cc5db77401d1678799

SHA512
ec43e22ce4e41602ee4781ebc9253c7efe4cb661642a3da71fd1bd6bb2b5ec4c41673ddfedc1a6270282bd8e5db6811ed49d733f033afa1bd202ef4e23c65aa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
942c508418d7a9d527fb3e82d1c7f724

SHA1
343d10e1b64dacec9fcc65baeeac5bd837ade2da

SHA256
bb88c5006faa27e4b03a5041282b6dd89bae020234652dd770c44e6307f09b04

SHA512
f2e4fbd16bb3426a090681a4afbe4828af117a97bf47c2056a8daf4043ac0f607d2299b61917ee7b232fa5f29a474a80b3bce4a0deaa86529e191a27ab07c4d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
508b79e9a084093d1aac1c258ed98713

SHA1
8881b04824f9822226014d0d9d3f72176ccd8208

SHA256
c6b65d2354d59d90fb231efce7bc7f6a418e510545d05ca58885dc48d2dad1de

SHA512
e70046f76c2346e7b093493c5e59c93cf95e0bb8b7c71cd27b19943ac181363f77cecaf7e9f2e1e98aab0e53951aeff86576e0d87612c8b2ac0d538e9bca4500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9167f4e82c7a3cd22c3fc7b98b019d88

SHA1
e3d9e0270701ccb4dfdff9874babae1a537bd4d5

SHA256
a2459149d0906346eacb61f62642f66efa5adbbbcc9e15f60632888674d20579

SHA512
4774ee997d4dd5fc93dd2b2b6cafa175a39fb8ab62156ac988161f58568d0d26249c8894104f88796bdfea6fee7eb6141f7be424a546d525155f2be65acb6d55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2d633c62b28f4966b810eaf865306841

SHA1
f2903b7e9b1a87d09e3eac2ba258b7d208ddff63

SHA256
470fcdec2ddfd796a9fec314c7877ee1d04324914cd03c4decc265e1f8f39f35

SHA512
64afde7b5d5d2cbf831518d5a6f76240bdcf4379d1ca1ccc8cd1458749ccb9d55047aa6535ead5203d9a9e10db91ef9ace9ff4eab57e14fcf36dea6fa36297c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
fc3f3dffeb134b646152f932ba1870d7

SHA1
ce091d2e3514ce601fb9deacd11aecb56a030812

SHA256
538366ca4f64914f5c4934ea4275e9622804a754529a5561befceb5f69c833cd

SHA512
6c0f3a8310affa66cad5f8bf01a979fcdd29e2eeee9ffdc992daf1857290c9b8d1b46511d0b0f97830aae88729df9cc0a4560ea3809eee488cf2d0e166e8f2a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
622981a581b53bab8bf7b10e4aeffca7

SHA1
2f26bde21146a0e7276caeaccc1647c06ae90574

SHA256
31910599807d6ed287279204d7467de78492d4365252b9d74f22d096ad1e0e9f

SHA512
d4f21af2b505f0e84493a2e84cc1f46049b23c6a996e482fc6aa79715aa29452830f571f7be2144512c4626b6d09a2127c7516bf2050fd404d3eb998a5a9d917

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ea02eb2c694d42aefadb983dd537833c

SHA1
4c437feca4443787d50141e8739821ab5e2849ef

SHA256
11245ec9f8fdf45aa67dd0934f1ff3e26ac25e599b7f9c1793bad2f5e84dedbe

SHA512
d54f5f70035c1d8e2da032e8e63acd23acf0e8c62936713b4fb7cd9d704ef47c347e7bc95f8eb71c462cabba8a0fa9b753f4eed66a0108cce9e8c72c47db49ef

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2c818a9b20ba76ad19197afcb6e225e9

SHA1
129c02d4e24b72aae306a5be77d61f99e6f30f5a

SHA256
019089f82dd550e5460f98d8aea84fdd041c10cba48b6690b65a2be90b516c34

SHA512
22ec463380c83afe48fa4e15dd8487adc674cd483a955aba8cfee9bef49405755fad67105f3294a6ff9c33356a2238aa78d2a6d98cab4b0a6b1fea1af912e634

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
98714f3521d71d500b10479ae9bde1e5

SHA1
43f061031e0042debacef3dfeeb97a88ce1ed240

SHA256
8464843d733494cec54410d12ff9afdb9c0bbff6091482a3885b1aa5b46f96ea

SHA512
daf73bd0e2a745a5e6b14fa2d934472d3f08d0ca65b9e5ab6783bd6e1a4370bfce5c1f09f22cc65e3118829d9a1572fc60e9ec94aca0f295ed980f2efd554f35

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
36931ea7f706354039ea436d834b29af

SHA1
0315c467fb47769acf80c1601ff5cb3f38c22da0

SHA256
ec84d952de4024c78683d9eb24072a02e1b102f6e8b4bbc4b0aebcb09d7dbbd9

SHA512
6557a49571e6d5319576a76a8f194a01edf6d09f27d98ea984a43d6f96fd58649ebd9b0c14560b25e9f589b0299cb2fae6bc706eb5aee55c751d70c96220b198

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
045c9d2f3e164e943f3cfc39ae7a20ec

SHA1
01be4868b32dab2571de50c3ccdd4fe01513d712

SHA256
945627506c55ab8194dd646406fcc425046a9795c80f086c9c6116f330d34ecb

SHA512
32986f46fb043be096318bc67703afb7913b51a4a3ff0d85fd525894d7350f2e410fc416781b8d2c4d110b47f7fe8ae3f240fd80c143d2bf5c118b6e75feb912

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9b737f961f296d24033ad67981db9340

SHA1
1e8d209124f05f45f45bd4b144f2b4602e282d1d

SHA256
31cbd00e454fcf20d6143492e2b79bd8a4c0d5fdc5f98d3a620324a848a218d9

SHA512
2e19846d9b9c30bab455f7257e937a2ff29e5684100cfc0d6532b6f7043b9979347f434915c3144334c872ec833ce0169b981a79f63f67135699747d28f0a4ed

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
61ca5834b13025bc2adb8d03b0970781

SHA1
9b125fc47b71c1f445df1d8f1b210d9c962422f9

SHA256
e34cff9f23082ae872b6250ec74cbfe7ae39b601e43628d4a50d2c7e9da36b18

SHA512
f9426ae7e41a48aa30854cf83fa5d7fac1b86c170a836861dfdbd44bea4eda88c60ccc885ebedbba68aa6a73dba3ce2d42cb8fa52984b01ba650d592f4154646

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6736a9d7fd72833ee49807e387eda93b

SHA1
a9a27093476a1f96d1dd9e3006629e89daeaccde

SHA256
e9bed517caa90f4d1a31f0ace897c624347e9e6c5c20ba1bf38f85276528fe8a

SHA512
8794d5e939ba57cead19bd37074e45326ccfc71dbf803808166c6adf287b7ee8f20c1e9241a81966316e7c026acd1ffa9c1f4b0fdb5a0733969119c72facbec1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c378815187f5cc38080fa5e1a94e8fd5

SHA1
7e35b86d5dad447e755f3d9f121d171d79f47529

SHA256
ffc3cb3ffd2efbfd342d096ce9b25d327bffbc82c7937c8249302b1c219e0189

SHA512
fb2100f1b0fae83bed0bedc788a97cacd90356c6b900ec3c2f38725ab6c6d7b14f4fa0f536e270c32acf21620cb2a4d5c2d2fa6951a942e36e8345055cef3527

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
73a3ca47f83923619ecee779648f40dd

SHA1
62310929d0ae6840c80ed9ea75e950f44c9613bf

SHA256
da935436b5fa5bfb8255c84f1185c104e136a2294e0ea64df81d3b39089e9077

SHA512
7e376e67245c867e7c4ae8e333cb7700e1a8363ef83f837b36d2486fc30b4a29aea304f90917a92915bdcb737435fdd2a3fc524c3555a9bbb1cef1acfd632509

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5cacc04984ec2a79c334a1e5d7682576

SHA1
31c6ba69f10135cd8a1bf63765f29c5c6e0a5b88

SHA256
5180b3247edae6cb618cbea3d3070e9ec1b3a4b90de42b5c30ca8e894929bf9e

SHA512
26802aac45e6674c686deb9f4e46567e1ae201a28ec98946f8ac23161ead7ad6e6c03232a93fbd60c64c2b85d67801b139b99281f5797c34f48f79c17664516d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
73a37ed94c6a828c4fd4f4df072fa511

SHA1
00c4e22ba3227d47c18e119f03d087f25fd4013b

SHA256
e7ac243709e8741294bfd646f97095ed5e32823497b33e24bee2fb0aad931eaf

SHA512
28f0f850edb717dbd83111838cb09393f4c14d66f12ca5dd22e91a2d9569bcade8bf62ccf38e3b365c23a68f2b32f44352f23259db0c59344f0232bb31776b61

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6913a16756aa4c32438561e30877001f

SHA1
ce529f88203b14e012e2e9c7ea0b09da6d31f803

SHA256
157e058d2cea3f69370b21f8c272934489b52ee61060a98008bb3a7637351f0f

SHA512
1e6ff48cbd53b7624f9466e2afde3383b0529c4ccec27f1032eb6c2d98465b9db83a0790de44a4d7406292df0ceefba0a1339a7b149f8124cf3abdf863523c87

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ade78a2294ba52e0061a8fc4a9bc53ed

SHA1
771738fd546e8e887a7fb9c105f70a34313822db

SHA256
634b7af049ca750e5bd1f92548ba8ee0111e52b4dd83c8ed573c14fcd5168039

SHA512
26cc1145d48d2f6f5ba7dfa889900e980e499b23c79f56b71ed16ca10172f56461ca8647a8b00ef7298d982e77fee13d8dc994f09c9bd872510926c3b8a9fc20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43fc38dcbd5237ec0e2fc28dc6fb630b

SHA1
53354a907a53af0362c34dee3184b40e242192fb

SHA256
19ea27da8c187627ea7f2016a0bd757257e20c2e86f3755d01ecd3beb530c37a

SHA512
64367f00d5174d5010a01904c2cce82173672c0596483d60d1d1d904f933316ead239debbe746555ecdcf8c7258ce906e2c7c4cb194b9e586c10f7bdda2887be

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ad7dcf3dfd26abd136e8790c1f7bfad4

SHA1
5dfd66a5cd6dbdbd035c371e5bac41782987689a

SHA256
fdd61771363a9ca6379ff1ede09d165e56046f13ebeac75cfdc2e4b3c6daa61d

SHA512
a8bf84f9f3312b68e613b50d04f0b4bc70a466d3ce4b0420a7ccad0c2b702641e5c1457965b81130e4a8b0f98e75b73759666c85fb36951e172f16a50fc0839a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
499a91c7a936c3bffef470849ce66ec2

SHA1
0e9c77edccbfadc79f752e956665e34f00a4067e

SHA256
9fe7adb1b821f40fb26a2f2d48fa305b97e1c009ea0b4ec7a5a6ccd1428132bc

SHA512
c9ec0a1535c80cc8a5ec8d037a3eb90db5811d7623d6846faae973aaaca3f4863e42094a3c16e6772485652ec0b5845dc47b168b9ea5b081a0b35491db4c1610

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9ca3514f0257af6d2f694f5d6d15b40f

SHA1
dcc24f36d64ae91f68c2632e4c4163d8ee0ea91a

SHA256
65bcf388b5645a3ea7d3cd240f493d10ddd757ed1d6ba37b26b7c8e031229747

SHA512
9b0b7ace65fd932305feb12a5520af311976099a0f4d96c926781d959a3d12261652ba598f206e4d0c9d15e07178411cdd3cf7e3252debcc77c9a38245c8ceb3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cbcb269988bb2b36c904e3d2bb8a26dd

SHA1
addd2dbdd3e6f2284ac3172b32890e789a12ff6d

SHA256
efce5642d22c6cbc7e1b1bf5d6c50715ad4af951cc2447d66b0ae28c94307d74

SHA512
0bc35134541e012b7c67ff3515914e029dda6a589faef526880f961faa171983dbe5cee55569cf02299a04e9c5c982dad1b6309234b0c468232ae0ffa5a2022f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
35e20e32a348fbf7187092717b43b5b6

SHA1
fec78e766f0fe83ef2ab8b1821758fe1963214f0

SHA256
5a44633a973739f9a62692b3080b38b336f8f80851128a9c66662e695f520d33

SHA512
24e6a8f1a5f695258dddee543b65f3d9a7f41b29a100a0f79796573dc7d9130624605e3490eeaeda58b2399dbfcbdd4bb16aeab01128f181fef796c73639da82

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
853ea77153dc13894cf0ac3449a09068

SHA1
e0fbaefda82b698717768f128f0b4042f7c7e908

SHA256
c6569aad44f887f26d5e6caa43835bbd29adb8ca327fef85c0af76a7e76f0fb7

SHA512
9f1ce49ac65da1bc4a17c6bcd89ee3b2e06a743b6d67e503ae24e6f8ebbc85552ac06b3e0af26550e36aa236358b372721c25bb2761a8bdf4a50ee53bf58b0a6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1361d6b84a5b6518e1c51822dbd09008

SHA1
f769cb6ef49795fad28b8bc43203ce9370bfb4e9

SHA256
9764a7699ccd8a72e9b7fb8b1c8c052b0a2ef52f79a9bdc4a87e216944bc315c

SHA512
a4aef22825683edb9b851fe061f1ed6e40770b27709541e1361323311d09dfb40e946fc12aca07b90685cf42be2f6aba35bb9738b25a0fc125e05e4cf0060483

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
e7ef942971693db9ca3aba2e67a4e0c8

SHA1
b02e98b6663b09ce1c900960e239152d8723dc92

SHA256
06fd5e9d60701129fbd184394b7e8336e55f3be0f0aeaa1abf8185dfcd80cccc

SHA512
cf0fc2bd86b07240339549db69de8826172864c78478179378e85827515cde0edb461b6f23077132f48a58683842f6cbf6ea691343eda2fc53f3f38e273bf468

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
fc53f845e743084a7dc29e22b71adba3

SHA1
30a6575d2977365d21365e52080d94fb7ac84f07

SHA256
fc14ce403e9329201ddaef65bcd830f68a441a9a785fe6207e617b2616dd793b

SHA512
20b137124342c112694b0013049eb11ff1cbe21a01d7033865978aa41ee53713b6fd75de478c182cca88d0285b66425ee43c5c03512428b90261b58b404161a9

Download Submit
memory/1672-112-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1672-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1672-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1672-18-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1672-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1696-118-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1696-235-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1856-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1856-86-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1856-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1856-493-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1856-88-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1856-83-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1856-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2128-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2128-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2140-181-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2140-491-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2224-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2224-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2224-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2224-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2288-156-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2288-395-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2604-487-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2604-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2604-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2640-577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2640-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3088-494-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3088-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3408-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3408-100-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3540-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3704-59-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3704-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3704-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3704-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4072-130-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4072-250-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4140-32-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4140-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4140-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4140-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4140-129-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4356-462-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4356-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-263-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4580-580-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4864-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4864-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4864-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4864-99-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4864-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/5016-225-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/5016-113-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/5040-492-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5040-200-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5048-133-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/5048-262-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/5076-55-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5076-49-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5076-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5076-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download