0342516f60a034b899f51c497265f03f615ac8ff334b5aaf5b5dc4f6a6fa9b3d

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Size

1.6MB
MD5

093cffaa92f8957eb93dc82ecb6c7e94
SHA1

c7abeef9b5baaad6285fae9633f45c3b8363c621
SHA256

0342516f60a034b899f51c497265f03f615ac8ff334b5aaf5b5dc4f6a6fa9b3d
SHA512

2c4fc5317084c7d5d16d58e2438055117adf2ce85c545a4fb1938e502e898e1cf356ad0a04f851ae2da4b05cad91fb0e090af2524227172681823a19c5ced3b6
SSDEEP

24576:c6Bo8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:hBogDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2148	alg.exe
2336	DiagnosticsHub.StandardCollector.Service.exe
1284	fxssvc.exe
796	elevation_service.exe
3656	elevation_service.exe
4476	maintenanceservice.exe
904	msdtc.exe
4744	OSE.EXE
4252	PerceptionSimulationService.exe
1264	perfhost.exe
4540	locator.exe
996	SensorDataService.exe
3352	snmptrap.exe
1600	spectrum.exe
8	ssh-agent.exe
1456	TieringEngineService.exe
1916	AgentService.exe
2536	vds.exe
1848	vssvc.exe
4672	wbengine.exe
4684	WmiApSrv.exe
1036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84b7a0bbb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000259a0fd2e5a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a48278d2e5a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004910bacee5a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000586b76cfe5a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f16a87d4e5a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e48cdacfe5a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009efee1cce5a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d099e2cee5a2da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeAuditPrivilege	1284	fxssvc.exe
Token: SeRestorePrivilege	1456	TieringEngineService.exe
Token: SeManageVolumePrivilege	1456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1916	AgentService.exe
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe
Token: SeBackupPrivilege	4672	wbengine.exe
Token: SeRestorePrivilege	4672	wbengine.exe
Token: SeSecurityPrivilege	4672	wbengine.exe
Token: 33	1036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1036	SearchIndexer.exe
Token: SeDebugPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
Token: SeDebugPrivilege	2148	alg.exe
Token: SeDebugPrivilege	2148	alg.exe
Token: SeDebugPrivilege	2148	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1948	1036	SearchIndexer.exe	119
PID 1036 wrote to memory of 1948	1036	SearchIndexer.exe	119
PID 1036 wrote to memory of 2628	1036	SearchIndexer.exe	120
PID 1036 wrote to memory of 2628	1036	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_093cffaa92f8957eb93dc82ecb6c7e94_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
3eb94ab1fe333db60d56f67591ddcd8f

SHA1
86b4945b0d338f26d71cc693ef6c600733e10958

SHA256
0c562eded580421c4514bcf9a3b4f2a4dfee7d1983f8f40eca208ca3c6bd2cb1

SHA512
198a23cf9b54b3307d904f3004ba5e7f5d2643437f15ea930ddb6225daff68115b888f99c8e21e60efb16513c251e9c56491b8c5ba846f089b8ff058f9e369a6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
57aed0a5fdf9473e4b72fd61a5480379

SHA1
b1c62ad46fb00e2f2453e027b46f7deb4ee95516

SHA256
65f65b7e278c32b6c8fd9214a38691c93a0d2712e0c54b72bb69fc355183061c

SHA512
90103eeaa6c065beaed9e8d8757d7b64927ff109fba2f07b83f1f74e69e3e485f6353fcc0628e19e39604065cf0b51a46e36ddfdf29824afee69994e3084b9c3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e05518fa74c203a2a41822c83d3ee0b0

SHA1
36500b99fe606ebcb1093848b4773864abf7f267

SHA256
a54ae87d001b5f0c7934f0e7ab92f9766e35e6f28090f89bd8ffd0e9c734ffbc

SHA512
961d58920a56cbbed30c4f1ddcaf00cdeaa688cef1e598e49c79d89b76b19d3810212b33793d900fdf0c5fe71cbff1d3daeca8f70d84b3ce7cdf8d45bdccc853

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
89a762dad41c118ee5777510885893f7

SHA1
0ab56f59de89302d4d2b131e23057abeb7121b6a

SHA256
b507e8ca6e8e6472fa40ccce66a3ffaf647864d81e510dd09f3bbeba8fbd8c33

SHA512
80c0d57f24ef7f640c03612df313c5e80f7a157971aa7f3547f6205c379d1106bbf2fd9b750ef7fb5e6dcc507e9c13dd2cdb942791eb691e36934801e4297c82

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
316f200cb6f460ad5eb7b25a16a6c928

SHA1
190408512314b5e57388ed87b3e2a21dcdf332ad

SHA256
83cae19ce42b16ed48f494d7133b6f3426f8e8ad16aa092b9464e84d4faf7521

SHA512
28c4b9cd0d55ddbdd646688bad69a86f8fb69bb0820552976a40bb7668c0b833eb0f30c658f5336dfd907afc045ea3d5bd3a55330a635e34f2691b5a91cc9164

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
925e3a5a66a3544047227f6e6436a2f6

SHA1
49cdf5c094fd493369f69a99d1ae23f1aae3f317

SHA256
f077442e30f23cd3b015edd2f1cec6d5a0ff03da340fbb9bed4516016027bd66

SHA512
d00f23b609a95567f64691a884e806d6bd7acbfe1ca288599d3c5a810a7feb830db48b25c1df2d23509a72371d5a51db5539f7c32f15d37d4f69aaff4c3e97f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ff7df4777b08e133dba9068ff70b0420

SHA1
d890f4236cf37a9cb6e090239bf4c341b9df04a9

SHA256
64db9cec4be4990265c01cec6b9825e51cc2befe08b7c8066c2d890983289263

SHA512
f45f80b7bf77e636ccb4067aa17d4ecee4e121d2c4985ef7837e679072d3aa11470ddc71820d6e9730f1d7e59c8287e5605774d03220234174392aadd9960141

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7593eea2c9c334d67a5afd84e9e7260c

SHA1
801d05bcb4f638342595a5ea946eb60ef734aee0

SHA256
bda76e16e09c16f7d75e9dd8fca4bfd42f271a7c0c60d9f02065327bef65ec0d

SHA512
6da8a9073356b9d31fa8e68afa6b4e30e37caa662366bc5a0b683d9b5f1dd292b0812b079ab4bd484639e70e7640d080c6dcb6bff08d236b039e4b08c603211e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
24da9e442f7b414f261be2a3ed0b37dd

SHA1
952a55cd45d8d016b599011371bd7ae0f264023e

SHA256
f0fca413a47c2ebae5cbb69ffae3ecbaaf0fd37634050a14e5d776dbf6ad8690

SHA512
a8fd6b99807678784ccd6fe98392117b1a45e991eb390cb1818c19032c0dced330d6091292b6c060d83ecab7aaf175c018ac9a2a753b84d6116e5eaf82108777

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5ef518e3fa6cfd469e9020617b5ce9cd

SHA1
f10375dc1dc8c23cf6212c2eb6a63a06deb50244

SHA256
86e0b30821f7d1395dc73422cb5fddbd18202c4e603962dfd133cd6563640a81

SHA512
19b1c5b5e237576c9fba45a6f907b568944bff67c8d7675f1eb2c088835d90cbf33aa86efc991a7d4316ecb712d99b27fc3199a7e747c15e139cc3d0b9b5a9bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3bcfc808231a9fbda4dcef20cafa0e0f

SHA1
92e8a50cd5217f80f628b9856b4a9aa67cab4bf9

SHA256
98461d0eefd97faab5bc254efbfbe6fecadaf9c6ea7991c913824f8c082b4ee7

SHA512
6f3426e9378fed3c60c32611796935b3b9b6952addf0221a78293f06931731aba3d4dd67abbef66693e990fbbd97005ddc2ab9d81c86e10e3bf246daa94dc00c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b945c3963ead6442a77cbe2f577dadb5

SHA1
1cf679a37212899ffd603eba281d1e5862739964

SHA256
97e18db048c19647482011d1da90158ee62bc59046c6c257b80d598e803cef64

SHA512
eb8638426b877db75088418ef4ae378b7703ba442da2376a052b873903c6152e48670332c2408aebc79ceacc1986b9012d45577e285f892400fc2ac73f3c4f2f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a53e1fad95d25eb7c020d8ffec093f86

SHA1
a3480d6059bcb04274da442f78240c6cead9d809

SHA256
38f0a8c759eb4e19f20dcdf102d03270f7ac55805082865541f185ec821c5d3b

SHA512
949dbb7237ec522aa3f94f42d9c429e3a5cd675253a63dc560e4137c90f283c4f2e763e4937759d59110c984d0bfa8e23323ebaa7a00e60a7e31e3717375a517

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
baece7efe1f489181bf169d796c9d9c7

SHA1
7abd49925f69cf9b7c2a1b8b0fd3c2b2dd1c3f4d

SHA256
a659e63f3cd48cb19ba8fdeabdce7990784fffc9ebe48c7cb5632beb53dff3bf

SHA512
bdd5184989729eca1d600922f1edd585a6d4bb9e4bfd47efba8850841805f25ce248fb2ea65ce3f54100f8519600bc26cfaf0df9c11ad2e54b6fe62dae08d665

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
4a7951f9d6debcad74393109384e31c9

SHA1
85172cf441e48399d57ccde05b2c0b7326a907b5

SHA256
689e3f1e8c402942715bb9cf8392c8eae664db922fcbdf7200cff39e508347e7

SHA512
34e5c23d4fc8968de7b2bd248138b2945f2e2aba3214ffdd106fe3201e1257a55c291b571d22ef260dbc615f87fd3701467298ac29d63b0e360778f58eff3825

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
4d3e4c7e3bd015ee82b245712211c7cd

SHA1
c11599068054b013d4ed71e9e064f83cc2644840

SHA256
1ff35a97819d5edaf416b12d09033594749518f0e8371076c448ead31a428154

SHA512
95a2864277aa0e139e7432440eb89bd682f9d38af31733b46cc4f559af61ccd9fb441edfd161c612e777a123bd82f46088a2f86c06ef8bf1b32562da25b03622

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
b38403b4e32f2068a011bf50dcbebd92

SHA1
8cbcf9cce0cb8c6ed8a324bf4ca13e7e02ed0653

SHA256
3427b62b3e63b4729f7cb0e2cf64eb2b69a12399fa20624e00ed829226f22f19

SHA512
920c34c465ac0f63768ac54473b43328e0cd7aeb1da67ee72de7ae4b8dbeeaac742bbef1e89df47089a3674b98af6c6da64784e604820987e9af5dc41f8fcea5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
524512b9c61f54f0af7e1486264019d9

SHA1
e4ee84a40ac649d1e89c260554d0182ed4042c89

SHA256
03868b897c9f16325e5a00cda4964048e8ef5b1ab047bf16e2002e802ed9a8de

SHA512
e38b890e2b84097a22baaec5224d553e781903f69d66f221649e1d01b862712b70c5295fdce18a9a3f82a1a378916aef283b9d4212cb4e8abbfe2efa67d07157

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ea4aa4da6a26efaa49ede2bff37e03a8

SHA1
c1da2c8bf6adb6ee1b840182d41f296fc3cefca3

SHA256
bdefd515a440cca2264a35c2f1f92feb0e76202165c0f35aff80b90a438d1148

SHA512
2832658889f1127f905b2c26e62bd402c4184efec57916941f738d5aa882798a005b1bc6e5945dd4b1d9f6e8484db215f8401dacaab86a9aec0b2b9bc2ec3f6f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
f80e66570852fc70edf8bd8126cae1b4

SHA1
001d7282321a6ba0ded8df0a34ef51a264c3a98f

SHA256
4f89f58b2301a86a5d8fa456a81bbb60f8330a1b4b3bb76513684c709d2951d1

SHA512
4a5badafc922e91ad8b222ce09cc6153f8141a6eeb2e6d03e50df1b5bbd74d1882e18d2ae749f6d2f309e64e9bec2fe06700a9a10280662a0a668fac7364944e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
60a38572cfad9c793ad538703cc3807a

SHA1
cff5d0966cc1df6c76d37a56cf5302d512ad6e48

SHA256
5696beb5bf3c9466829e7800d7afdd49f7bb5e12dcd5d17e41cc880280972931

SHA512
d06dcf57011c883a11eba3217098d8bee3330f16626535d4300e82e3386bd257c1717c187d57e489b3cb45c64a9f6ec9fc9af2c466fb79bee304a903dd320bc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a85844410eafc4d41b8c4d8a4e08730e

SHA1
5ea7b8a099976f69466a813e6c3c9e8c238f9cb9

SHA256
70a9dab01baee118ad31de54139c05134a0b4792bbdb6fded8f49c8edf5d77ac

SHA512
0c32a4bef1149ce1ac714a4a9fb09d86722dd6cc8813c50927f5b0edc13049c917c27a9d8efc03b0d9c5ddfbffaca4f7c13ffd09f6d573caef22dac7dcdd26c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
9bd214e757248914ee136865e2c1cd39

SHA1
07d72d55c20cfdd8cf5011fabc1e4f9e9c93cbbc

SHA256
5e2251a214387bd3f1020de6ad2ae5f5f5c052a0ab50548c5a9bef7e6872895f

SHA512
8b48c4486d65c00588c12961c85b783efee914cc2dffbab6657b5e9e92ab1aea5dd2122835d14a46cfe7dec048abfd95546ef089a24d722ee29160a50ce06008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a047a73dc512f3b6996d3a602c817e37

SHA1
965e695c9bbfece700c1a59d4e1d373d807c7be0

SHA256
1b2e73f4b9872eff41d6e1fb48ade8cd4861da183d31fd4562281ad2608e4836

SHA512
c9879e33b0e4b4b42e1c3a7e624aa8a7f360818b25188ffc80051d31b2a10b3e21c6db5b14d3e89fa2a70ff3425c26b95bee57cea732aba3599e0f2925254132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
95ec1216b402e9123d0bf19b823ea52e

SHA1
62ce7824ddb3ab600312afd96a9b07c662d9c1c4

SHA256
2872cdf5126ac3f6eeab96f3c029d6af5092f5ead04f88a0f18054e366a8a14a

SHA512
aa5588ff8b09aeb916354acfdb3afb15d592382df9ae2804097e5f740af96f31983e0da9fc2a7f0b79f7ee9a77e9456063aae05b69ce924459a69e512644db19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
2d4732dd03829bd90bb627b94e698cff

SHA1
288a940dbd5f1320efb4d841287cb1146476fd96

SHA256
b805d58a58885190a886ea083d67e9028f0e31bafe45508ea3f2f7be2273a0f2

SHA512
dd41104392df0267052c7d7faec75d665d633a88a25fe0f63631b469529156bc32854c44ab970f134e9764bdb4d4964f53a95b927e5dfd0e5463a1b1c1b92a33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
02e2cbc031faa487f3e016671143f819

SHA1
978b172c03318278a1c05f9df73da0a1f0b4b1f1

SHA256
cbc980962f638cad369f6b84ac2ba358dd925f5e230edc823f1692f973915c6d

SHA512
674bdc21d16dac2a717cbe4b23413d8aa728ebcddfb0f1acd773ba7039b15b67a480afada02c235a90cef64d3dd05c035d9e0d55f2e93ad133877b1214aa6067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
ce4885d7a45a3079bee72c626270f1fa

SHA1
d9e0da02d969b00d41ba747257671ed40c6a72fb

SHA256
dfd00ff6a178f4ac30c2133dfac161d2cc9d8575cedb83932e9c29514e81b271

SHA512
4bcbaddf7c72897bed7f98eb446e0c81ada094bcd7f68df05efadd06439cfc94d6c3cf141ced5359a09a80172a2dba81d98c9bc4fef121a1eb1c24152521c411

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
636170ed90680e89302492b8c31c44b9

SHA1
a3a3cedcf205715d0c6a37e87ffc98e358393a71

SHA256
5d8b0339ec500e83a769b77467f4599a96a4a29b7a7cb51dccbc0bc39b949ebc

SHA512
d147a80b53aecee8c53381346507a2fc0dd5576ba3c777ad5228cbcd78514d77a96d68446b3e4d940873840d5e0d147465cf6c199ee3ea1f88868b8ce6765473

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d5b7089a2da221441f79d952858e310f

SHA1
4bde791abfba9ce6cf1073051a866d5a7cde1544

SHA256
43e29f472d30105e4a0a5258a5ab97181cdbd1698eb412b6f371de99ec76a0d7

SHA512
9987014d5c57b2f98c20749e337b94c344f4ed5d800d21daedaa0fad10b28639e1b184c15cc3404f0ba7ab900c6cc8b7b1f2a18bb7c8490549240a8647657218

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
ebea7cb11a0ddfd420fa190344b7afb9

SHA1
9c01564b7db71afa698d06205f537da46cacfa9a

SHA256
698c6556d6a96031ccb7ea357f6d972bd671845b1ebb44deb245a1c7a3728329

SHA512
668e4e7afb438a7a3974d0fa185c12e8185402804154aa10e55d57f98b41a21ba49e9266a454da717795f3107cfb1f99dc2a24cb2b5d0e5c10602df157e22954

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7b75e3d6cc59ba411b8e1772cfe2d776

SHA1
97d771d7175d312254126a24d1f1ace467735e31

SHA256
37bd77b74b8c5ef2a87f007d8cfed12e62840f05df0ce8ddf66717bbaa1567a9

SHA512
548d01270674556d2f75b329c9b08c25d395bbd3737025e7df284a258f1b74115119a3d2819fc55c0d76554baed848ec96d5fd24c1242959bc91015ea0f295e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ab8f6dac908bc8cb3defbba9e9c726ce

SHA1
c4ab3286e4156d62c3658f47c4da6734f550be8b

SHA256
98ed78c28559fb74eb0d1c957f220cfb9d3b56de93bcf74a09b29fbbfda5cce5

SHA512
620fdd55837be504c266a0f267623fad8574dfc8e2f3312d1b5e5dc1402cbbd8112c5018eba7286271e8206b2aa8b11f05c469f66803116b4c23c8938bd3f564

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
7c979b40f82ff02fd241cc1c283d9470

SHA1
1b90201cb592cc3a25524dd6ff4d33d0e67af075

SHA256
28394721c215171b8c9905a522358b90053252c1650b02aed214bd4d60282464

SHA512
f26dbf07a8de4d7a65e8154fb847c1b8886c6e23b81dea33a089c4b68c0cb2ad8ad8e321b0af1e45dc4026402b77d892046b9029ab368ef2264202d5f77743e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
75112c2cd49bb332b34dec17ba7fe8d0

SHA1
e00638e7f2c3eb13dbe2c28e300b55ee3c57f584

SHA256
07cf07f1c3b7e3a5b956aa684d702fff8ea0995aae962a6eb50c70bbf5952b18

SHA512
dc0da8498a5661b9415d5f13ab6facfbbe466b9a28b9bafb42908baa693b86af2f9041518561166794db2f0499b0991121aec0934e0c56533d50b924c94057f6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d5f9e9c28a8965c846bf9203ac60cccf

SHA1
218a6ebe28452775aafa9eb9af91688000c80316

SHA256
558be33a67b99924a210f547ea9538cda4308320a27e0c8123e3299baad2bc3e

SHA512
ef586217aedfd1a86a0b15d3edc9223f33425920b21868843b1408f7d95c4748c3d5385fb5d7150f5a869c48c139ac853ba718a5017ac04c50b94442b4623966

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
5585662082b0e3e954b93b921c3fc352

SHA1
69b9d400ca2825ba9d0df9d33b5a695f4522a7d9

SHA256
746fab91d46a8b200ad5f82cdb988652dfb6e0535d5e24e6bd88bc3990c3bea4

SHA512
3387f427f6c5601bddd79a4c47a138ffd276e89807525a31865831ee6952cada5b665babd25ed03f322668318cf1024f0d84ebf43d4abf4b263d44f1bf53c8ce

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ef5a7c40cbdb307d6ad1b3f8251f17f2

SHA1
b1f0029fb3299e02dba2769131b1c994a39898ab

SHA256
32a0673a0a9c45348fe4344bbd107e264d3918f29bc5678b04854af98736f7a9

SHA512
0475753b91d744ab5f12e030512db6a140b0b4f918a84da3a6bd86a2fe05fbb2cbe9247cd5dc82783a1e20dbf8985c4db25e9c880b1b9a8b3686e4b4a4554c7b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
478ab3902c3bb7ce0b8a2e436167e64d

SHA1
a558017e3c5faefc0580cd7fd539c1da5765574e

SHA256
101fab47631288c004380a5ed81a1df6bf27e23813b1274a63d213774c5d3e1a

SHA512
b8a25a86d2133fcbba7ed63f9726549351886aa68d62ec3794eb19ef741901be601d4f678d6c325c9e8b088e5ccf4cbd96bf1ef43be64a12d32e1a3e65d26313

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
175124baf044e8ffdb61d96c5b284d5a

SHA1
2526954d9bc8e3dc363122e35eb072ee3b94cc23

SHA256
44a4fa96b1a10a28de9086b04382be230ead8f19e4e8989477645926ecccc0c8

SHA512
a54ad509321c31fd9acc7a3ec828d1d89a69e60bb4d683a6b2e8173e244fc7317bf3934587f4c012720d223bf4f59509dec1f9a6d20b8d939490e87087393157

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5a4f1468665972e22775ec14e746bb0d

SHA1
ccfb93f6a8c3224dc6d42aaffc68f9084e9aa410

SHA256
3a4f7d9bd30fe21d9d8a95da539ef33eabb1d5cf9553a7c06cc9905b992c3ee1

SHA512
bc6894bd32242def5ad9279bac78b5ed5ddb1064a3dbb207149e99dd511e62c93a5b35905d1b344ce70237cde17a23be347fb3a0b67aab044857581c4a79be90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8d597dd387fd1d83ab83f686c9707103

SHA1
a788fae33f8d470208e43d2cf393fc3b471a370b

SHA256
9bd49e0ccca488228f98e17aec0f809b77538e7671377739618f7311427d8590

SHA512
cbddb421134a51b2cfb543aae5b833dbbfde60fb250d2ce24d6a708fd85c1d2fea01aacb5f18d87c73dc5ba779209630d72688aaa8edabef52dca86212b5486a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
36e11f0b1ec571c29c6d7dc52c0bfa29

SHA1
7ee543b93cdf3161101ac1d7548721f6902060a1

SHA256
b421ac1ec9239022d57d7b1e62237f9e03293297fec18745ccef63c99be0fca6

SHA512
21031422f2563e889d96e6931ed14b27771b218925f63eb63bc7a0f8115a924dc90f156a9952bb956a5272385e68f3e7b72aff3494c1ffd9d0a073d069d9c23f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7d4cb0353d609d77996fcf5a929071e3

SHA1
c4bcc5a68290525363bdd5615505824736fc021c

SHA256
43ab2337c35ac3e6dd4909a1039ce91747219108d1d4665efa9d9e6793e0205a

SHA512
6fbeb500612ffbdc021b5c16182d50b25b2302a11a47e1dc18a0a9d01a46457c371c8bfde27f7e6ab90c26922519062dd8140b7213eb04534673ea7fe50647d0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f3108aa1e6ddb9f9dbe77bc7ff4afaf4

SHA1
8d59ab8e2b9ba8ffa34bf332853eb9fd081491ec

SHA256
93f1ed02908bcf7a265ad7c77c0e87128fd283d63872f5da9dc5bf256094a40e

SHA512
576983d7fd73d03cde578ac47952a37f36461789d82d2befa0a41977fec90f8bebb2e369223be1443cad74fb80b86b4c96df2097468a81165f38d0c1597594d1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7541ea3a779f05feaf75c60764cc7541

SHA1
0b4d404cf0333de4fc533b81dae2d325a75f5ccb

SHA256
897e6f0fd1b69c9519ba917ef172ee59479134803744ef9337375c85a3836843

SHA512
8528b2d1ad2b9e42cc7ef0c578f82b0cd3a8259f9471f0d265312a2087ea61535bc99fec15dfbe3de2b6adbe3edbb8372e48c37792f19fe0b6999631ca8e8525

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
76a7343835eb751716825995922cd1f7

SHA1
d65b6ad6986a59b3b88737e5c2ab405229e38d26

SHA256
70aa590d02a5cf20296af211f8f3a7cb8b9fec5b0e6ad7675653b6453686b53f

SHA512
7e90c44e654c488f44dcbaca4b1e15ddb3482d4a09c457c548c47e179e8b0018ede023322fd07e09ebadc34f958f8eecba520457f89cbb5d4bdae1c29f3a0dce

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b59739a897f9e42f1f756c8cb0ff1abf

SHA1
751f9dae1b06784858aea33c423a5fb6fa3565fa

SHA256
4b633741438dbe75586307164f465d2978ae17c97310342ad7ad40d34bd24c43

SHA512
7c4a31546134e038ef0636561657ffc0b0da1b60a9391d282c16c4b36f8f552ea82717cc4229db0b270322e08a249aaf059f44e1de78ad0a2e869beb0f5ab925

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e68e79df2cee9c5430ebd3cd97cc6fd2

SHA1
9c466738ea3aa2996102b93b762efc2d880ab72b

SHA256
749fd181b2eca884367eafec0b2b75820206fabae54348f78aba664de3378048

SHA512
f4732e095c8131e504264f25e30832ed4c05bf3e9251a4dc173abd63f3de9600bad4ab06f5ce734c89a0145655d58b60f61a4d5a24ac8a55c0362340e373c1ed

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
93ccd392ae851d525194dced39b3e96b

SHA1
27c748e1853a367d703f678f30607a60f1465f10

SHA256
d6feee6adaed95567cdf0391e0e3c824b8b09e92d40916084dbe22d87e4da757

SHA512
d8594a82e5826a02e174d926f824946a0f42d0dd151660a13d0ee7a43e0b1cdcea55b8793480f9e1611c19f6923a1b247ddc965a7cf9d6886b9c48d8b4bed8ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b0f8b82063833a10f8d5c497e87d5090

SHA1
f792215504d1713ab2ae5a6a94881eef396d52f8

SHA256
2f615e55b5cee85ac3fad215b74ccca503b13aeab00f727422a9ae968aec1498

SHA512
5eaf435bee821e0e0c465d9ae72797bff5977a66f05ed065f91c90c5d2cb29eee90190cd8b1dafb28ecac42928c3571b71325d6a13e9de33243210be8eb2006b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a3d2f47bceca8592971932b22e32b3ca

SHA1
dfd322d48ab408300d923a5f679222b7971829d3

SHA256
eb6a2796053f43a58676c6c8b417a9df345e9bb315461253755dab65b7dab856

SHA512
95b1dbdead26e9bcffcad2c31518ca4d85ceefc73fc33dee41d9410c0deb28f36ce35bc047736f3da75ff1cbeca14a313cfdb481125277cd4e681086b6097860

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7645b9247da18622f7fdc13119fd8681

SHA1
7ee458eba4e2add5125803847c10b778c697ed46

SHA256
3fb6c9678493d4fdfa578267b415f060509e710c2ec151e7a0c7bc90c73bab9d

SHA512
efbf1e639c4b4d989936099a1d162be4ff0f4a1f7ff4409781b93d6f7a08a3997312a60654421f6edccd51d56bd9bb13660db31262300cd382db0cc33472648d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
e2b0d9d38ab8e31b172efa07c2e6668b

SHA1
72a97f362e6767f64fdec954c88b5596ff8e9a68

SHA256
14564baddbd4d2bfedf9c79518da9771d81aef7ac263566d8a4632bd7a7835e7

SHA512
0d2b679ec4f9be93fc75fb33bb9c1c564c6cd71635df87d6a11ccdb2c60da40da50971d7b1850210d57db5856ee31253851674853eb6a3307a2b80f63e722bfb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cab7101a27f36a61e0a09d461b5974ae

SHA1
7fdda58692f9fe7d0f5e2843b6a51f6f0c7b4b44

SHA256
bbf5f7744b878429e59d6e576e0c79cf9a1662e8e4189f25df6bd533bb3f39bf

SHA512
2eb6b8a7a350e20fe5ec9d52806033674442615601448e6cc36ffad5ef95298b4ed1d3dac52eee1064cba9ae21c01e3ff04712f4c24f924c85286c603d24407e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
94b4e7c127cf5982c157f8438191027e

SHA1
7cf546cbcdc58d4ebb966f44f694d23724b6e5bd

SHA256
280188f947aca887629186af9c2ab03672d1e8a49a929d19fee3f6eb1fa8d71d

SHA512
cb900ecb6da16e3037fa0414bda069ca52a157dcc2c972a49a40fe6c0cee06b79bea506b55b07aff3698b4b7c11ef66e5c31d48defeff8862256f7fe577f99bf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6c5489ca704a7e2eb1d5042590b937d8

SHA1
cc3fda9211d307bf8bfe5beb22917388659454bc

SHA256
103838c83c2e7aa27939801737e1d81be951c1c58de3ab60e40202060b946500

SHA512
69686906f3d4f6e2bb84536a8be2b1e42816759ca7548d3f489596dc7f32c43d9b34f99fcad138fac6d6831436ef1f6d852c10fe92eedfb1e580679a2a6ec1db

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
f71fa9f706389a01702ac9f48e9537b6

SHA1
6a873897be82911f3e39394eccde225f2024027f

SHA256
a46aeec98543ed81180fe741151575ed7462d7259124285e0cecb0a8b7b97368

SHA512
4fd9745cd70e53ae53a2d1d853594925896ca5b79fb86a03c8a3b4f4d5fa9c07a5cb9256e7aedb24a33564ee26143c74ddd47e8db058c04cf5dbbfb4e845663c

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4c625ae23d91181ce7d3d2046d86f478

SHA1
1d6efdbfeb549dd4d66a246276cfb82d3015713a

SHA256
9ceafbf413d5071c38830270444622640e288f87a068e77c9906381300ecda1e

SHA512
74b2a3827d3a290851381b53e74da5dfb6cfe729734342a342d234f98817e2eac82eb82ba376ebdb96ab61db7d6bd70f1ea89e21843dc7b237496e4f9fcb6334

Download Submit
memory/8-389-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/8-193-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/796-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/796-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/796-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/796-171-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/904-89-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/904-207-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/904-90-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/996-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/996-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/996-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1036-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1036-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1264-127-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1264-246-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1284-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1284-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1284-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1284-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1284-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1456-411-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1456-204-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1600-359-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1848-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1916-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1916-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2148-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2148-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2148-104-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2148-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2336-25-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2336-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2336-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2536-438-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2536-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3352-160-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3352-332-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3656-184-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3656-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3656-62-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/3656-68-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/4252-116-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4252-234-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4476-85-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4476-83-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4476-73-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4476-74-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4476-81-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4540-137-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4540-258-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4616-88-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4616-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4616-7-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4616-6-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4616-1-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4672-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4672-463-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4684-480-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4684-265-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4744-113-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4744-222-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download