ca9178263041cdae8b49c868e3b524fbe584a1cf49d9b8f51016dba40bea88ec

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Size

1.3MB
MD5

2f16c0e3c4a737a7d6b5057ea2adad23
SHA1

ebda5034a7654378c369cd6cea4a7661b3ced222
SHA256

ca9178263041cdae8b49c868e3b524fbe584a1cf49d9b8f51016dba40bea88ec
SHA512

af5eca8eebf9940f5d4fa2f35b49154503fd24ec6c8022cec86456d10e86e8b307d31b052dd10ad136fde3b063ab779fe32e7f525ecb9de408e59fea6326975b
SSDEEP

24576:d6Bo+L6VMRCPU6CENltmVVdpx7fLrQWd:YBX6ZU6CENlc7dpJLrQWd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1532	alg.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
1436	fxssvc.exe
4040	elevation_service.exe
1352	elevation_service.exe
1548	maintenanceservice.exe
4892	msdtc.exe
4588	OSE.EXE
3128	PerceptionSimulationService.exe
1180	perfhost.exe
4756	locator.exe
1928	SensorDataService.exe
4424	snmptrap.exe
2680	spectrum.exe
5072	ssh-agent.exe
416	TieringEngineService.exe
512	AgentService.exe
2596	vds.exe
2960	vssvc.exe
2156	wbengine.exe
4048	WmiApSrv.exe
4620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5baf726cb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000664f9eea6299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038ba24f26299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de120eee6299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b2189df6299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f287d7ea6299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004860efea6299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c87597e76299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018da3ce76299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeAuditPrivilege	1436	fxssvc.exe
Token: SeRestorePrivilege	416	TieringEngineService.exe
Token: SeManageVolumePrivilege	416	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	512	AgentService.exe
Token: SeBackupPrivilege	2960	vssvc.exe
Token: SeRestorePrivilege	2960	vssvc.exe
Token: SeAuditPrivilege	2960	vssvc.exe
Token: SeBackupPrivilege	2156	wbengine.exe
Token: SeRestorePrivilege	2156	wbengine.exe
Token: SeSecurityPrivilege	2156	wbengine.exe
Token: 33	4620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeDebugPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeDebugPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeDebugPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeDebugPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeDebugPrivilege	4268	2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
Token: SeDebugPrivilege	1532	alg.exe
Token: SeDebugPrivilege	1532	alg.exe
Token: SeDebugPrivilege	1532	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1516	4620	SearchIndexer.exe	116
PID 4620 wrote to memory of 1516	4620	SearchIndexer.exe	116
PID 4620 wrote to memory of 3548	4620	SearchIndexer.exe	117
PID 4620 wrote to memory of 3548	4620	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_2f16c0e3c4a737a7d6b5057ea2adad23_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4892

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4612 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
6536e3733ad4ba5e20a82a82af90810a

SHA1
a668209b913a2481577ee64c5a0c9b106b0c87cb

SHA256
6bc0ef321b7473763b24125f4e7bbc4ae3ccf78c929360bf335c21dcbbdfe8e7

SHA512
383c1c6db41cb7034a7d163d46e3356616da3ce424e23e794771706a44cb1d6879de35f937632f7a49e571bcf85c215092f6435938b5b46212796a15e2b50822

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4e5f4fe58923c7a98f7d960552f3fdcb

SHA1
f58b7279092165711a47372efae37502dd14d85b

SHA256
d1c1d2bb6b0855e50b34eb758f12a243cbb66c4a0d798c2a795755c19d678a35

SHA512
3a089cc2176c455a2b6f6b77e6c3806262b43c4293f72e0265cecef705445bc5b1fea3972543acdcaa02b6df943becdf5d66939872a972b3e0783015f709545b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6b4070f1607ba4517a2993170e1ca51c

SHA1
971b4fba0057bba8187c56d39c96bf647542d4d0

SHA256
698ec5f8248848a027c16b96ba426d5bb54f0668b631c227c228c924fb95fe07

SHA512
e202e7ac63c515d0e8264b2b891fd35465286b3ac231b2ed4fb6097fae7ca8d95e59e62fe52aa5f7f7e26a4824f4a0e888e50078dfb89e95dbac927189b0335d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4113c842cebd83c615afd02eae550931

SHA1
797d61f2e5e13c5b6ca25a6961b952f2f66118e6

SHA256
d0190294f7451365b9c7d06b60139a1c1fa8b6854e7d8971dc2c146edde80071

SHA512
d2bb54fccbc65ee65af9fbb5d5414fbd60d02b6e8c4f697dafd2a77a35a0118b58aa0629ca4e944f9932e5c723d5196c047bcab3b11af49271516c0ce680934c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bd9139a5b7cf4d7544a04cb8e3238caf

SHA1
b95d6e47525c1c7763ad3d7f0627f2ea0f72c6ac

SHA256
c630b4ce4fc34a830b89af72cfeddbde7b2a401cfa1b4ba04e662c8836fd2e67

SHA512
30d9e90ac24a2b0b1d7cbc04855fe49dec0c4cdf30b3b8d8c29d8fa78e61997ad98153e13f5cbb8b38b5828a73cbe9abef1db87e16676e92983d3ff2ee3f8e95

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ed9be438b747f3dc8311139982a91c76

SHA1
7ebe3888336c5cbd930b725e1417719c8ca366d9

SHA256
0345b4ca647ce28d842898d786fc74adce736539ecc91d98836ddc173bae0035

SHA512
ed2172cbedbb0ad62d19933e40884e89505512f6749ec75cb53cd063e4e31c2aa1a0b8d18a7613c43a15f6a703b0671728c6ae55b365da95dc9a4a656697535e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ee35a9d9e9f57888284e2e8407a6b316

SHA1
000078da96d00a38e886fa6711eb5412c9363cda

SHA256
7d869164bd1a4a227c8fe9cdc3ad30d2aac6f80d71246fad649112a6e97dbd3b

SHA512
c9adf2208dee58106431e427d933c852aef6e7e1816c911fa81af5572fe5a547ead958a822aabe47da0ac357e9758520f0cb8b70ed5b09bfaeedc7357694b6bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c6bee39f2367c7e5d5d6db7e400c4b7f

SHA1
8663814fedea9d825bafa9e5d4d7adffc0d1a4d5

SHA256
19d621d00fa2526bd6a8e5fc65401b0479859db39a1186a553f3dc9d55f38468

SHA512
f9245f4d966ddc46759d8c47b826b1799e703c623a0f731bf73af5f2970f5b7f341fd24f18357bc3008c0289b0ea08bde9585890350fa890a334f65dce63d35a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
90ed42d3ed3e8ab508529703f6d6661d

SHA1
d0d8181a9aa8b4d7db48988ee931104948f8bb28

SHA256
82a33fcc55da43c2db226b0fb8ff4101475c4404fe0b3bd22da1efdc6033e362

SHA512
f3db38dfce0db24bab358a77e168a8e55c1b489b7dce2b8bb891540112cd1785de7fac79f841fe3b5fc134055bf4a926124c5387b67447a6c93bf3779d6baca8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
194ed14eeeb636e3176112cae3fa3b4b

SHA1
ed5bc239992b82d12ac3490a355df6fc98b817a4

SHA256
5b390b8d471f617fb17aa3d8ff655c2fbae2e7b37a9b895026e329848284e223

SHA512
f31c3e475234e49cb7857f105c1a3ffdc6b497c401f23f760342914b574328cc7935066903426503662724468fceca1c9333a6c2b5680743358659e80223c5ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5c81a35ee52919420267393cb3f8db75

SHA1
b5efec5e8b8d0f007ec21c4245c46c00b8040ba8

SHA256
94e7abe6535fbf58e8e603c81cb5c547649d8abcf157446485b21f9909f29b7d

SHA512
d016071d547fa65bfe3f158899172375197651e5f96a6c00df6f0aa3e75981823f092cca692d349d7f953e3210bc33079e18bbeea61534f5cfff059b4143cdef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1ba5b1391c45453cfe24e758d6b8c0b9

SHA1
b9e5d7ea4e674ef1302168472341144cd08aa71d

SHA256
c87eef3969d42677ca296ad3539c74922e63b4e16f81182df2780e29d35bb03a

SHA512
0417218d3c3ef3884f74c7c1d09b12e66fb5c4f0aef95eeaf0bc61a5762e7dc547d602c904204f00dd89488be6d6fad7ced10c015ab80157368822de98a4b88c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ce6e269c27c31d495c3baf7b00ecd989

SHA1
5515dca3e4b1df77aa08eaed0dda780f9f6b27f4

SHA256
62fa096c8a23e6be7b6b1db99ceb00a2622ed428fd16bb652f3104d13facff77

SHA512
76ae690af7f4bec5d393fb19d1ce258e955baf4f06eec912318bf65aab25121f2185aecce524eed9717b0cd348d636c61c4bb5cebe0d948cc4a313e99fe7b98a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f8c7b44c7957cff2d9539fd0a460d628

SHA1
63e4a8cd51c7e0f0c6ca70e8c3f686955d86d637

SHA256
4f6ba7aa51e9e255b03bad29926cda1f6fee9a84d056215690c7ca1d44296f80

SHA512
16ecce86000178e44d1520be61abc31fe0f80380104b2cad8f68ea438f2de9fdb1396a2164f60c443c817a0b6fde04bdd1eb95ea2b9d95927e9f454b4ea7b78c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
335eebe6770f46cdbf623859b3823aba

SHA1
6e7b03b831689a15de231e235253b0e12e1c74e4

SHA256
0e686c711e90a415aed0d672227bf357aeb2b78672f382a337503913abe1c24a

SHA512
0a78869594ca0bca6d7851443ffee3dcb6bf056cc9787081d53b97a80e9d5cc3736c2395f203e2e728ccb21b7da72b667d3256723d586b98bf414192f62ebf85

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
94e21506e7db0bf4a42346bbe2f6c3b5

SHA1
2de5b8cf4b855afea006b4c65809fe8e547dd8e3

SHA256
e081991195cfd6ac99b9491662a01b652685fc63360432dec5f679a072260ebf

SHA512
e33c04436583e3ba6c6f3dd8dc46b4cf201086efb66cf14514a5d99b25225be597c02c24fecb16e251a66309ec22278d1fc47452a1438a978eb70f9b6f5c0cb2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
913f6efe80e7a71c4d6cbb6a7af1418d

SHA1
aff2d9eccbbde17f9c29d24da96cc5b8a0af6d9f

SHA256
0d1a7324c51f366c64d006e53c935d7480e58a2f0a8400d778b9be9537e8a4bf

SHA512
8d405562a737e156ea339f1222f1bce1ea788f77bb01b133caa2df58514e733eadbe3696f3d4c6ba8fd375f5fa5a2d0325238f2118b7f6acc09733833a647c5d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b5526257d6acd7882953ba792840812f

SHA1
0d0eee85269da36a9bf1ab0020aa856fbb7efe77

SHA256
20fb1002a399834af067b317a104474e066a019069deb6283f1ebae4e75b7f49

SHA512
7e26f0a8f8427ffaf5d6897d2e4c1dfe4afcfbf401400dd9762b416d63aa24835b09595f59f542fa717d89ebc5afc7b141d065a2b34d3bbb5c471a54b0b7f8a2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1a9c7a3dab1dff363835d20250992128

SHA1
10b22e659d120ab69084926b4d24373de75a61b9

SHA256
ba678a6bdd104df9b7f20ae68897ef86f863e88357437319042f4445ea221447

SHA512
d66048f2f26f55159b1a7674e2c4e8055afc98e10e89624ed58122272e774ef7b1c96759af93dbc17f56361433d240b98b0bb6e57218bc21d91631a563d6cb8a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
33a9bd3cb765f7443099e88188f3dbb7

SHA1
a7e0aa1b289d722380bc8e49fb6da504465637a1

SHA256
f5f378ff5cb06bb7ba9e957d12118b52bb54a0b3f2467e8aaeb7eefc59b7e1f1

SHA512
9e80b4f030f3ee84460ea6f7c7f557799fe25832cea5c5b3f96b11f823100126eeec7ae0960937ea3be310558131d13ebc6735d3ef490f83d893f362ee3acbcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2d53c6e851164284024b8be89be9b58a

SHA1
6033fd99be862b97d7cf9386cfab3c725651c003

SHA256
64429c24de8431c31e718f1ec7445a4c451c079d99855a8854a246fcf8e035f1

SHA512
af491f8e473b8e1f69ff33a3b67e62ad7c31d7b7bf4eb301d162e3c829d5a0ab0876b39e393be0cc7ef73c2a897ab925d8d421d4e2f6fd7a3fa4069d6f39a6c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cfa0917f4e102ae2327c969a8a86223c

SHA1
f71e43d37601b6ca2fadb10a06b5309f3ad4e620

SHA256
fef37ed9b41f2cf2fc760110a11df35947757cdad462141273b5f53998d804b1

SHA512
c73119226614d0cc8c63708d1764c138d29c9c5a4d2afd33206cf95e7542f2b518466f8eaffc65a7d3289f78c4f414c3545e450e84f81f45aca5ed2bd65bd4b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d2741b4f4e178ab985d0db739620318b

SHA1
8c7c1e61c61a32794ba47e60b70c72fd843276c6

SHA256
af195d85d3ca4c0a1526a509cb2607fe30efa6a01421ea82b7a5d7010309bd60

SHA512
7027b1d8baad344ce3a4303810393b5da559404a6e42de95c462ff8a48f73227dc8c4f874bd6b7329139f8002e4e28427f97a752841df0907eae5b47ef63bb20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
597d3b3fc4e590ab00be0d431e885fb2

SHA1
984b8a74a47e1e8004b546579805b3c01e7aa146

SHA256
06b46a3f545c277599f41f00d9a48f7ee2ca099899fbd5d8245aeb199d31d62b

SHA512
f1ee7fc656cf60a7edb664f8c8ba18a67328fd8a83b28505dce0b7e6e00bafe91d88da70df696f9d0cc1e7a5672f26ccff813e12313e723a62f20d73ce930cc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
dd8f8f53aea4350521994436ae0824c2

SHA1
328407a77192da46acb065852c3267ee41fe8a3b

SHA256
804f2f17af2c2f5070edd1d3cc62008edd3bde4c8569928e9d0bbc9ad775ce06

SHA512
0be0f942a6f51a0da69e925ec22c8cb2086f7aa82458be40845c901ca13d44e2f5128e795b892f694e236a460a0690233cb292ff954ffc5b4bd94090701a0421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c455413476942227424a0d1287eff476

SHA1
3ce4225f328bff35dad4ae82f23bda44b721f60c

SHA256
8e6501dbafc455549b03d591e10a6af691000a8ed1b9497b70afa9f4c9757de2

SHA512
77939239bd5ab5af324e07d2a9b2929e9b16ef122573cde92b3172e092c73f983ae70bc93075738589e7cb8c8609b01df8e18c7da9a7d25451045ba37c26ece3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
777799b327ce8c4f12e2602451533850

SHA1
041067a32cb004a8b7a4c6f450d852220fe66f8a

SHA256
bf3970fa8dfd5bb90cf91ce004a3e7e0a7551bd82c9a7ca7ad49ab7e1d5c886a

SHA512
389761d357a7630e6537aad289c96d6eb923eb09440f56fbc6862ba411ef8c7cc181303b3bb99dc8648a0d5d8cee256654913912f66bc2220c4f14db30905c0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
f0740bd2809226c4867ce79008132fa9

SHA1
a2f3f9401573430588cf302ef1142e52c9775b2d

SHA256
ca3459021fd86019ab27d5b2f2c6dd0ea1f020e61fb4cedc3e9e37d96d101f11

SHA512
2d309e045b62536b979bb1d40deafcffb959bfbdcd19955d6bd9dd65a5cbad380d5b644c74df2467de73ccb5c5e80d9942807decad29a27e3c5294c3a8ccc65b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
cfc27d6dd1191845bce5eb9c0c052aae

SHA1
3ff3a0eaa60cdec5d3cb2045611afd4d46a4295e

SHA256
0e30bafea4f6f901f3155752161382e91e2a517a9fc5a8d24717c2b4a44c7148

SHA512
dfa4adb6e1f936958fc1d332a8121dc3e57465587458de983a31bedbb54a8c93ca4d51cfeb63a764fd4a062caf3191abdda337800ade6887852a519a5df37563

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3b9a58464fcd911a63a4c9b15221ff48

SHA1
31e23ae8214e229721bd864c24b6e07dc8212d37

SHA256
eb64e4b5c86d9dd5d6c28300664c7cb51e0028707899eec716b4ed3ed80bd51a

SHA512
e563f7cb6ce51776012f24d0aeef4bdc4f6f076c5b18a6acf193b2f20d7d7bd168174c4513965cb608c2c23fcc67024ba33fc39026975350f92be934a79158b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f59bec9e0666de6efd1a1ba4e67f5316

SHA1
9b7943c3a1c2391162b37c0da641ab2eeefa65ac

SHA256
eb207a37b48167d0c9eb771a8a0e1edfb6697da360c034367546146afe5f55ba

SHA512
631a81be972df765304aac435d4f6cbbe9aa906311f63bcc5331e054aa9774cb552628f2ed1b0e927d28c2ffdfde3706f53be883e0b09009f62eddf493a973b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9acbba8f4329ee20b06e9a09159a0382

SHA1
c114244fdeecc9a077690972faf74529dd52748c

SHA256
6dffe92567ead87507ddd00112a120ccb990f3cfe07fc18b911ec006a59782c9

SHA512
6134b9312d5fcdf2e45e0e6641460afff6564652580ce8659c9adfd17e8733ced5845440c3d9209dc16389e333da7a183c20b0c087601b7e125093a83c872a6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b4e7ca08b385c39ee3e5656c7baa0753

SHA1
aebfee9c8f51c56261103f757ec99050af36c0a0

SHA256
33ebea7f693b8004fbfcb8badfd66a9cf3f12cfcf71c0e06f450afd0d3c2788e

SHA512
2a93fdf3eecc7af977054c9932aa5ac3aaf690b4c3cbefdb8cc4eed0635e538aa036236a85116d613e5f174a107c1711d0de1474fd2a568be02dd938fce4ca46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
aa6206ab2551c135545a24291ae207b5

SHA1
b4ce12fdba4111f3b1b77d5c008f807fcfe97cff

SHA256
4ed8a0cfe033044835e6bf0e947e1a466661c3cb70e4242b36b14aeff4ff6ccd

SHA512
426e3e1a082446a4d83d706e07617f61408ac8f3f4242a744ec883a208a3ced7f2b8d4aa11997249cbe0709a8128faf0e6a437ce7b207bc0fef6695586ada1f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
236c1c53a842bbc76d7556f44401aec7

SHA1
3bd227ae67372cd9aed0efc8fd7d04be9ca7d1e4

SHA256
ebfe9324cfb2fe402f6daf4a9eeb2bd1ce88fb39ec64682460226e5ed4f285a6

SHA512
af3a083946376769936f75c1779197e2380febd7a21e7b5be1cae17828a4807ba843e1c23171a1796bfe58fb2c5305408f49158c5ed23c20e672cde66fd4b845

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1670027e8fd7a0bfef9a5992f47de15f

SHA1
3ed943d2f285a3849bf411a09e60adf7c6923fc7

SHA256
8355dc056065abd62fcff01cd91dbe8d3431db0fbff2994ccf83b7643751e2c4

SHA512
085441b3501d07df926417d8e256307659be0af99a9afa5a1878c97e4aa1082f0495d1caaf954fdad3580e55a38616a6121ada93e3c068173413b762fee319d9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
3773e339aca7cf4a77350b08815a5c44

SHA1
8a409b29ccaa24f99a885331e695a765c41a515a

SHA256
e51e1e9828274a4682cc44f99154499b0b69c20c4775c2b1578e4c25f380ea22

SHA512
757376ced5302d4018f05681d58efc7dc987ffc6c882102e17ea43db8fef2ff9a8ba05d49c26cec5c0a9f9888218bdf8a50074991ba2e0cf1757090272509223

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
74575abbde209bf613624092e20aed51

SHA1
439c4fa06e4c054aa2582e452fc7317e172ed127

SHA256
c1f20b4e13ff29c8837815fadbfcca78c27d73299016b7bf8ee03f1b162dfed3

SHA512
8060e5c29ab824a35084dddfb5c6c2495be6eca5ead89be0eb0d082cac543773db14fc247e68aefacea6c576781c1743aaf0b5cd2a8ba2f5d62c872d40cba5ff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8cbbb141b836a355ed2de0b83498d31d

SHA1
92fa538ae8664e0eab922c6b773e126d35f4e4db

SHA256
f5628ccbfea58474a2397e64612917e9827b646556b9c9e77373726110e413be

SHA512
326f48219cf1228539460c0bbfce2832faca6e3327345aa87f6af6f2f30b06b403b7f7e6116e99548dae21e446d579b742b8c329ef598064c730db363a423692

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4e687fffb2c7ba993ac4427c035f2911

SHA1
50e51a0929be4845665bfec2ae9b04567e2d2445

SHA256
2a08663fc9ab927709cdad64e1750a96c37dc8db7885cb81b46040d954035880

SHA512
7bf824787e12c4b427b09353315257601bcec5cbfa0f5492e5c891ffd46e6c4d7bbf29d039d1866dd7263e26c194d3185ffdaf91228d01d1b01d620926099248

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c1048878ecf0133e45ae3e1a29962c48

SHA1
5ec05616b2875eb523e6ec6e2c287dff35a1bc37

SHA256
776ef57a32f96432874a3ca7e3ec19a8a7e34ae97dfd533a842d78471df85010

SHA512
34fc7582f63f2ee99011ad41d52b66accc1fde25d83966290e1aba993e906d4237d947129fc489d83ac113af507db2011d88ec8244e81fae0d99cc2153ad25d7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e9a70af277ad843ba8745a9d87b5d2f8

SHA1
b43afc9fbecb812b12dd46fb607b446c355b0d2c

SHA256
1daca5aa921a7d5f2cd66b46c80e2e4db8e62f8d4ab7c0699e742533e9ebdb0c

SHA512
c920275e6641608994b701d8de45d6a80bcc9278bd467c8adb11df40f720d3946f859d8e50bc316505bb0a3e64de4d4d6a7c197cf0d461895dcdda05d7d844e3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6b01ca32fbf1ed60a936a549591a629d

SHA1
50fd90562750eff0916eee1787044487066b4172

SHA256
4015d369076b962fb8c16ca6f5d47fc7404a6b1c9446a8ff2b1984b96a342db4

SHA512
53fb4a1848ba891fdf25a698b75586d718f12898c2a1f04bd103aa2fcc4deb94eedaf69aaacd54e33fedd9fdefd584e82b5f843932bcdddf2cc3039df5c594d2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
203a9fc5eafd68d800c524281a673400

SHA1
a0305333cca9c12bf9af30f51b1c9cdab759dc13

SHA256
ca9c602219edf0c342a3b39de688e293a10fbf134da6c61d6152ddd8494753aa

SHA512
9bc741304ba537d3d3145fa76aacfe8f9ab50977ae18ffaa6eeee70e881e87c20be08364017cd069e9315b3dadca972681b549d1a588fe818e8bd9f1c2687782

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9b334852ca59fdee1e50910a76faa6af

SHA1
841365c8c30887334d7f651d69a65bec22c37fed

SHA256
1b034dfde5a0f7fe2b4f29a4826f5788019d6538e64659cba494d60516e4bcc1

SHA512
9264dae5f253d210ba2499e63189afcfbcd6b1bbfedbf66a48b7b9239cf58b06de6309234ba8890c0f5b31e26e2afdf534ba669848288368330bb0050f0b86ef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
004862b59ae963482228489eb6fcf04c

SHA1
759153067a7ef05a95ad905c87352cefefbb470e

SHA256
8ce9d97d5f20ed9417ddfaf1eb740cdb8f319665ec96e6e94180034f8f5e6035

SHA512
59f9faab989d21508a7aa00745f9eaf499e32545e8f4cbbbb6f7f0fa809c2d8735fcba12f3e9fda4a921de1a77be29e3d1fbbfc2c9e6bbea7d7babf8afd669ba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ca00977a37584e58b5523a3a833a2f17

SHA1
985d407af97880309acc940048e1bad87599d2dd

SHA256
bcbd62bb07631b76e22ea0c7ca1867136af1fc6f1fd7b70eee052d0aa8f55e6a

SHA512
182102d9b1dd97fed3153cf1da28394d55881f6b4a25466f92c98d8d7adcc96df5d4ae645a14d7e9868cfebb7c2d4d49410748c46f2ceeab120ec86607e9b03a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b214e7763a896ab8a440e56ead750c7f

SHA1
5048f20fb81171044d1c7ee9355fe12c24e7c3e7

SHA256
de7e4c35fe151c001f9ca918189597dff9abc9ce291de8050afc8695504ad92d

SHA512
32913e928a4caacacf8be05fd1508a3fe44ec8a3446d880f4b43cade3b40c40878e84d03d4f2411c4dbd0fc0fb599d22d647a68adefbee55c440ee325e95d09c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4eb42b03051260a9b06c176b0c896e6a

SHA1
06ee2cf6bf7a025159592a59b15cbad08507a199

SHA256
1f54bc3d841b8958fb108dbc10a59984de07abe68022889b83ccc6d842358384

SHA512
74def3cfaf9796a0a60e33a8aa98143ac70e1fea7bf18a1276ef21c2c1002c73a18a72f8862debdb88e54349450b5039d142e77f15e210344c0be89d6aa7f02f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7f7ed5f4b4eef101bc8ba9d1c1e900dc

SHA1
3232af24e5deeea3305b9ac52aed9014c1610dda

SHA256
0f06dc3e70e026f01625c6ce07b92ab027a77887acb230e93769d2bcdc507427

SHA512
3b4b6fc48252715ec76bde61c35c30687db33bee549a04d4e58b6ee880b47d11760865570b6678733136515810e6d823fe6015ee7c44103a075de31eefebd924

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d053fb7ec12091a89d79898015e131cf

SHA1
3cfcac2813df3d148a7edabeef01c0cc53bbcdc4

SHA256
e6b06a59690604ef1fa06e4592e5f12074b38968d26ebc030955250b4c715e96

SHA512
98a94cd9a714acab2895939d07ae0bddbbbb093b2cbcbe74510c71bcd9690636561fe43bbc4587b3f276d0365a7909923ce50db8a987776c34efb7f6707c73b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7773ce83dc337c955281031b65927581

SHA1
50f940587502301fc9a201337f21ede642739c79

SHA256
9b1d939a88b20a003dfe20fb2e3b7cc5c3e4b465bfc75d2f62314f5cea28879d

SHA512
515c10dcfb22a3c8fa90ec6675547bb1476f77426763d0daf535d13fcbd924d4d86ed80b9130fdc9a0b98bb6fae53950b03cc11d795124b17ec14b38428d69e3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cbecc52cee346934607ca804b8637151

SHA1
aa533fbbfb8690e066720f8a9cd1289fb08b8375

SHA256
dd0bd799f63b828c6cf4beafbc8eaaefbfa8ced904bdec8d26fa40c0ae675767

SHA512
6464717b49b9e32dec6ea9ddf22bf976bc0bebada4d06b5225111c5a23622169fc955faa794ba1d24606d2faaf2bda19c1d63486109d7d9f70dce0c4146dc3d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6d151296899ef46416d3a2f217d471c1

SHA1
3f0a977d9d77ecf34a3b1f3441bcc8ebcb7743ab

SHA256
81e172f50ab5e7731a18191d8ef491a30fb9c80b0f3b0fae6399c8aa67c46f5c

SHA512
d8a3d3742fd16b8705947b96c420ca4f7baee88ef2ba9e210357c4cd64c3eaf712b4743b6c182a580e75be643e9c035f16d564eb0ebfbef9ef0eb4d6c3e75365

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c36582c7288728b911437347ea99d9c

SHA1
89f1bbc93eacfc0b6f17ff13dc9c0ede84ae11e3

SHA256
49e375eeccf877594b83f25f755d8524e95de07c5c5a6b2be7e5fb45d9598f2f

SHA512
ed2c00e606239e8adb939bdb1e384c8e8420145d00d4a2a2176de1630a5e99e3c03b0993bef63f7184dcabdfaa3432ac01650d96c5b8cc123717f3cb290b244d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e971a2307326e91bdd539c908ec093b3

SHA1
e41f0fa268b689a6a9889d18bc211ee22c9dc002

SHA256
1df2f0259e0128870c7b9358aea9abf6189dca81d1a728337207972469c2cbd6

SHA512
5c0b94ca0586f0c38bd5eb417ad0beaf0159e52d63a31264690c5bfbf90ebfa19324b90f446a7497a0532132cbc8e4022f001127950e5221b85fb3131d8d2c74

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
95f106d6c1e997ac57550e608bcb6d36

SHA1
91504dc6cc542ae462670188d64021d8154b2339

SHA256
1da1541fec25bf548f2a3104ad31802d620927972aaaae2ee0e0b5db55bda309

SHA512
57963b0ad8d7b675307d9b1531806a3981c1dae4290a828b47407db822fa2967a223df94939d1ffd27d104473e9219ec4b197eb5ee5decb92b3737c7838609f7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0455eacb6df75b37df36e8b0af612dfa

SHA1
e9cebe82571e2e95832d7cc88f81c3f0fabf8a67

SHA256
c4eb6912be3ccfc9f3a54264027cf969cff5b1ae6e5b3e0a1cff296a1a63312d

SHA512
63f0ff077b153d1d2cfb01b200822c7956095231f5ab513cd586f72fe863d3ccd70eec378f70283bad89cd83478b4b20d6ec668c32d10a88a83f06edc68f251d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
3b6c8a571ddc21e613c27d9255189214

SHA1
d088e66e3180d3f66849f6050073b47b21a67ad7

SHA256
de6cf4395a9531bdc6a42169b430959b1ab42e9826065946d88b449f1b6c50cc

SHA512
dbcdcf51c2346aa47d1a1ae31a5efb202bdfecdac0a34a1d0d60289e038153e778519dacb710fad8b0b03b1f113967813596de8ff70e7c4596d8a417f503da76

Download Submit
memory/416-419-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/416-191-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/512-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/512-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1180-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1180-240-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1352-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1352-179-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1352-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1352-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1436-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-45-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1436-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-39-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1436-58-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1532-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1532-108-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1532-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1532-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1548-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1548-83-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1548-88-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1548-86-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1548-75-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1928-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1928-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1928-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2148-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2148-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2148-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2148-116-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2156-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2156-454-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2596-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2596-451-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2680-356-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2680-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2960-452-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2960-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3128-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3128-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4040-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4040-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4040-57-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4040-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4048-457-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4048-259-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4268-63-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/4268-7-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/4268-6-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/4268-0-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/4268-1-0x00000000008A0000-0x0000000000907000-memory.dmp

Filesize
412KB

Download
memory/4424-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4424-320-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4588-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4620-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4620-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4756-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4756-132-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4892-202-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4892-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4892-90-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5072-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5072-386-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download