6717a50f6cfc3bbacfe9ad23cc29687928789b183ff59785e50119b64b1d767c

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Size

1.8MB
MD5

02b2cf9b514ec3461da4f15837aee007
SHA1

48ce22254980f9ad9fe38eac6c3fbd77b0f72037
SHA256

6717a50f6cfc3bbacfe9ad23cc29687928789b183ff59785e50119b64b1d767c
SHA512

ee6b705ba175520b2f8e1682cfdbc51081acfae5727e6472ff9eb8a63cc61d373439d85c16339e6d3ec64f78f2de2b2d7a50ae5157b1865037d6d85c001a7206
SSDEEP

49152:0E19+ApwXk1QE1RzsEQPaxHNVkQ/qoLEws:Z93wXmoK9qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1272	alg.exe
5008	DiagnosticsHub.StandardCollector.Service.exe
5116	fxssvc.exe
2436	elevation_service.exe
3460	elevation_service.exe
4796	maintenanceservice.exe
1768	msdtc.exe
4908	OSE.EXE
1612	PerceptionSimulationService.exe
1480	perfhost.exe
4344	locator.exe
4628	SensorDataService.exe
4204	snmptrap.exe
4232	spectrum.exe
4924	ssh-agent.exe
4892	TieringEngineService.exe
1472	AgentService.exe
4656	vds.exe
4400	vssvc.exe
1004	wbengine.exe
3164	WmiApSrv.exe
1316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8249b957b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa4fea19edaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd6a4319edaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47f3719edaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088f38a19edaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df952b19edaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078508d11edaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f134a217edaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a89041aedaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeAuditPrivilege	5116	fxssvc.exe
Token: SeRestorePrivilege	4892	TieringEngineService.exe
Token: SeManageVolumePrivilege	4892	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1472	AgentService.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	1004	wbengine.exe
Token: SeRestorePrivilege	1004	wbengine.exe
Token: SeSecurityPrivilege	1004	wbengine.exe
Token: 33	1316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeDebugPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeDebugPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeDebugPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeDebugPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeDebugPrivilege	1504	2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
Token: SeDebugPrivilege	1272	alg.exe
Token: SeDebugPrivilege	1272	alg.exe
Token: SeDebugPrivilege	1272	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3992	1316	SearchIndexer.exe	116
PID 1316 wrote to memory of 3992	1316	SearchIndexer.exe	116
PID 1316 wrote to memory of 3668	1316	SearchIndexer.exe	117
PID 1316 wrote to memory of 3668	1316	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_02b2cf9b514ec3461da4f15837aee007_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3460

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3992
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:5772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
8e84684b5102eece5265eda3721dd739

SHA1
46eb8dd3b98f32b8b41d8be05a095a3aa0b71740

SHA256
6b0214e55d9acedaec4e4abc89abface09e0e5b2b7cd3f239984e2e492a0d57e

SHA512
95423973bf970bfe6a83477b21c4e9ec68d272b1a1ab3ee3b076d0c7a3c02b39fdcd1cfb61eb581c6019237e8875e1e7b0c2b4547ba63d8e459aee80d240d26e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3487d8006a04891daa787f6159d5ceae

SHA1
a679976e9a74398222055b8f24c5283615aa2757

SHA256
272e29d4861737b8da6b785a54cab4879b017a01d75904f58fb91f64f535b234

SHA512
8bfdbea7b5f80571460896c555184141695712cecd6bf61a6c8f78f653a8c7818ea28efd5aaa61014d9026675c98493248277880f4d7695bcbe72902ba5b7f7f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b04b8aac49f0cbd1b026c6c64a254277

SHA1
8d19c8772b60e323bd1985511fe1bcba43df99ed

SHA256
f31069e6629cea5dc4d5258991d5c0f4ef5cf3ec1c58ee17e0c89dfe99ef9a19

SHA512
c454d9e174f5ba8c19554acdc088b7fbb82cbc774a9f690e98d59b0b8965341fe2c71e7dc8e7a5d7d57668e7d29ff8ea0f15818fa33f74923c17ca9a4131c2b1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d99fc4ea915d6345cca5bfe851329e5

SHA1
686bc609c57289839bd3bd9d8d3b6bd86f292b0a

SHA256
fb86b6fa6d38b58116d1a9dd73b3326b8f16f756a24b274e40d027464d201d55

SHA512
19e5e2185f87fd7542911015cfbfe9f2e81e0cfee97716a9502cff07516f9c2684da4b4bf0b7153f5a56faa320754f21ef60944a78823159f78e2f8622693b0d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
117ca2bf29456a582961e68735590e04

SHA1
1610ac984cfa646103110d1f17578781001e8169

SHA256
b792c7c30086c2b59b98db8fdfa19dd72e5d8e205de7324f212f421e5b127d59

SHA512
7bb526050637a8a5095ba9452339a1ee99a3fd01068ed8cad2d117a45b0d72184254348329cc91e35e082c43d7bc55746fb130282ab1557a14da28dd94743991

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c154d6c6cedcb4d9d19fa91ac8f33d5c

SHA1
c56d17b11d52afefbd4dcee982054d485ef5313e

SHA256
9f8fbac663cb1e21f7e3baea0e86b1aad65d442059bdb52d4bcb39cf587b79d9

SHA512
2e59375ce2f396f90b3acd9bbd78b2f7ffa3ad5af742744e8406f605e4b2fbd5cfd9bfd183edf2fb10cad50da2f4cfb70e272db14787c03e0f1e9b0715b8edf1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b5e2189245fed7055f56dc01aabdd30c

SHA1
8a0c912bcf66dab78ea11aba663f8d5ed179d201

SHA256
0e7b55a885e7b9b11747771b84f53e40d1f80fc08aa39be7f7d2b01e22a80f5f

SHA512
6aa9a15ae1d1527004a3df170c21ca8814dabf29a0645c95b7d9a17cc4e52d96295e9ddd5a7c4b7d8021542261e771239c9d0f82952f927bd066c7c8f8436f98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
95571492b35fc80bba8ff05ad2836368

SHA1
deeeda7a1c3f7d439bd6610ea35acdd0970f0d23

SHA256
f98a06cd0e37acfe858237e489e97220b960144af65ff813db0c1d42061003b6

SHA512
4a84b6f867c6c25d0a38d6772d4218e095d5864dd66742bc69fe92af91a96f9eefc94184a275eebd3426931726c073160885fed35b567a0641ec9a04fe4b0de7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a422e461f5dabc728d87e380d7c7592b

SHA1
2f501d8f002b3651c489f7115cadb02bba8ea217

SHA256
e4f1795afb6e436f342565673593162ed491c5c3652b67b70fef9d2e8463754f

SHA512
6069bf0b98f3380423c40774c1cd8d3f4e9af170ea767a9ae57d00869dfa00f14cf5bc4d2d9888ebbf96ed1291c96593372d9c3e61e7b113e677a333c7b96726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0690a5b2eb5a56b04b271ba6bdebbf36

SHA1
c529aea242a14e056d20a37acb38f66089b979c6

SHA256
41833a478fbfe58b987b9d2304888169bd3a4a7aa6b995544e8122890021b57c

SHA512
07d9106cd8fdb2fce87035d95569689d0a887e46a99b28cb075a21e21785bc56ba0e90ac19cf35d6ad9ecba33b463c35701afd90104842ed381af9e0a77a06b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5222d28866ed5f1a20c4377008a53c2a

SHA1
b8f569b2a1b77e0c1e1aa158123522fc1e96d05f

SHA256
38f3bc815a4d0d2791c8c7b528c136279e3508b66f265ba2ba8f889e819b1dc4

SHA512
7cc3be4e1ef328185531c26430d048e598cf71a3e895b1627d54f4d03e4fa4ef0e44e16efce2b6d88605598551717cdef8a29c2f391f7b3e25800a9e2bd8bc5c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7d194abe44c06a11107556afa02aae1

SHA1
bd38e3f18f2d54cb409f55dcc6722cd789f6e033

SHA256
47d5992e0f92934a0147fbf21bc680c4dd6ce3b7d3fcda9fe2c7b1f7719b411b

SHA512
a8a31d48a2670b83a79c3cf1b8b0c0e73ba741771e20355d6b07a059ffab4aab7037a702acfc30f7c881592bdc9518497e7c4cad50abfae307f75f4f91445d0e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
be53e296010e5ab4969d837b54f21707

SHA1
533cdb8669fc907868336239ee506b1cb99fdc0a

SHA256
b89992fbbc6204cca77571741af5a8c707014514cdbee9e84e4e3469f8e38cbb

SHA512
7c8ed6cf47499826b573522f9e219e103eb67dbc2ee0931a3d2a6cc24cf8bb6f08e86b40bb769aa4d1303659afcd5c59ba9b5ba236720b65c879664fe0cf4914

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b579688c2d5a60147ac534a7217c0318

SHA1
ea60718f0921f71754c983c810da5e40ad3671bc

SHA256
4c9ea7b8d797946b9b5aec11491f6e1257213e95c39847ca4f74b33f154b44b5

SHA512
bfb21d28aa1c65b614938c5aa8f5fff57b21490626425d89c63f518930302100a348405c9d721dfc9e33080d7bd89d32aec375e6b67fab02e7473e248a1ed92e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
77a63600d9205347b3b09410b1a1af36

SHA1
59f9e1f499105a4da96df88f9fb1a41279e5293d

SHA256
d285e0ba8c6dc0e29ba774e45e4cf7048c0ef6caec4413e35f8b9dc0d58b1828

SHA512
914d0737a9387da344eab70790816ac9de30ab1c546b8bd3d2d200453cbc92f30ec8660e5d8089401df0e1ea980df890dcb5c6ffe2b2d70bf6944d589afdc241

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a9c4bd435b3a390c0ad188d77e1bff58

SHA1
c494f584a11c7668504673b1e96068635cd429ba

SHA256
2ba5ca9839954ee3ac0a682e599d3c11a5fba7109f681b0cd955e557f85d1905

SHA512
d40dc829f0671a9b6d6adaba290a60f23bc3ded690e9cdb850df90ee1e36eae1acb3d590bb070705d2494232d3c497a8d5bb5cb9564201a38a2d7cbf258b5e6d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
487b19aaf44695c86ee76a063426d670

SHA1
cb4fec37d0947bff4fd6183912b2eb4aa03e9298

SHA256
96d3b3dce9a2820849ede1f414afce704866d924c1c020c3ab6cdb35fa12e0db

SHA512
c25323968f3f6cff9c38e7db926240161255ca4242944a27312b6c75489024252ef78992e8517c26c363f1147d945af6e90bbb919c84cdf1ad61c03810b23732

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3a0e8c343aaa4d56db9528ad3d01c2aa

SHA1
13e3c127106c63a06cabfad863734f8217361961

SHA256
ffa6e3cdde55bddd8e394434c108b8e3922edfdf615dd666010c110bc9ecdba7

SHA512
429acd80c73e0512a8efcdae975eb31391ebff058c352a62d5f7e7741cbb1e6b87ecf816550238c88ae27ba126998ca6fd13e922ca683b55b94820b6da5f08d7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
95528d944c71712c41ffc7810af47c18

SHA1
89d985b9c55423bd85e1a0cf65411534ef6e89ce

SHA256
056109787b17dcb1e6358f870f03abf72c003ba7bc39fee5b8d8ca370423295a

SHA512
e6d0c4797495f1711e199729646261f7aa07764492c5a9669cf27883232832f6ec0eca023a984121b4d958044d823080b66af54a7286309c8a930c64c744f6a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
116707e40b15b7ab5bb2acbb4d1a7750

SHA1
d13c918fcc48d813a2a56542183ebef13fe4ffdc

SHA256
ab78c2de67bfcdc8539c601e7ae881c4774e68702f0e21507b44858b2cbcc281

SHA512
0de75b51828e56f65dfa44a6ce46329330ef17d14d94cd05be6aa12092b9bf06534fe3939b21fafa9de38aac36c3fbe8aa3db0ee6e11c4527566f4abe8071d37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7aaa8bc4ab51ae58222da433d7d22837

SHA1
d40e444681b879b184c184098bd3758349881f61

SHA256
8e42ab87887e9c7788a505e55bf26f34f91c51b0eefc405d212cd2e3e8b03479

SHA512
a27b0c566719ae2226efd318bcab49a350d57ece8e30c3740e4f9056e7f80bbe2a032485bb29b4db03ae55db067a3e834e0fdfaab1ce309c7cd168bfc38a4b2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
09971eda4b8a7a2ec6699b47c2b933dc

SHA1
05531a59e1b0a0114319ec8fe5614c6f93a89cf4

SHA256
ba47425f6413d9405dbc4c371b700a46c6485c878af9a32b26083c2db3431a4c

SHA512
51978c035a4b3a89fe503d66cb7be2964d33dcceb8e7423a0f38ce72e012e9333fe9809ffad05a0bf0bb5230ab57e267708a279689a8b2785acd10dae176d22b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1fd742dfd507021de58c56ff99a88593

SHA1
0ee6c8424a30c6023508878655f55c526db02385

SHA256
3a0ea01d196a16a5a0c58d9a63162a2ddde3a9df6f4c01ecf21d402e11489435

SHA512
c2fa11c3e82ab35bc84e8eedc9aa68fcd2b5bffbf71d44aab9f4529158cbdde275dcbe0690c39a88efe14c7813276186699a8d9b67d0c963a653c80e4ef6ff61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
61ce0798e7983e2f2c1b2324b8d3c743

SHA1
0da9c3019c09d144193f6dbab030056f8316f1bb

SHA256
6c09cf80d3ad005d75b3a7f428b2ad142de05cedd20e00cec461d5b625b5e7f4

SHA512
79d61ef4f3d951baa7bea26afdd0d2b07d84c923b4b8b7c5cc756e8d849175ceb220e792541409417f88a77ee7a550d1b203e30873ff3f266d61cc2f97d8ac38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b795ad5e13143ff51056633731c11200

SHA1
a33d2b67e8ced6509716d0434072cdca8164ff63

SHA256
c8165962a3dfe46cc936d137e33954a67adb08361352710039cf9b9a485767dd

SHA512
b877303c8c3f9879116b4d6b218e25751f86111bd15c286b81790873047eab46daf064f9ce4ab8f3b2583ad78b8b707d300a5c0ff1e6f780e729e5ddbf2fe03e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6c1b6d2df3248a2ff198fb68ee1f2561

SHA1
df9e6bd07fcc48a04e25fb85efdbba13f3fb665c

SHA256
9cc8e9465d5b90196be4bab46053eb0e3abbd6adb6038f54f8c59fdde07886d8

SHA512
3946eb34fda7a075dccdd297adade0d26790bb201822819b738905c0d1ec0e2cc29bcfcf06abd6f077ab6698cd50b37ddabaa978c28c7e33dd8063179fe8504b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c15d72bf1d5def6bc150eb70da96a225

SHA1
64fba1606fd820e0acb4479eee9fbd4da8a2ca42

SHA256
00a6ec15c0676891a0eeb54817f42167a5e24e3fa4876e3ad7a7373649218390

SHA512
aede67c47865acd25fb2ece4ff82988d6097ecce694376d7510eedfe7a3238fc85cb2a617d477d7bdd8e1bbc66f8f76d1aa2e4c86dc6b7eba15251915f397d17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c8417819fbd4f3fd90135672badf3060

SHA1
8e16bf094aecd570f06f79f10679219f45dc3f00

SHA256
20d3d3513138a084fefcf95a28e41e2380c9203a4e29c55202da238bfe7c0a70

SHA512
3b5916647c9b7e04853fd003df6bee1d3c1d8edc543c83e722ac3486ebfd8af54697ccb256fc954031ac5cf9afa519edd3188c2164084806ae6e1f5e50f77ac4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b54faf779946d55273b2834cd603da59

SHA1
aca97d0d23e9ed5ebda17c59df7391b6a29b8065

SHA256
abd63d5d4e3093735304bb2ff1806122db66e8ad7d40d89ebd368b6783487c03

SHA512
f472c0d1a6ccfe1eb1750e7aa298f5d04f4bb81b5144aa1c334652616b1b6348c87cb0e94b41717c7c1375af7138cc63fcd21a03646369b1ea2595152cd96395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1b45ce103f84e6581248c27e9c105648

SHA1
94f7a9c7b43ecd6b48cc43d197a1f21a40df8b03

SHA256
61189ab04d6e2b0e4f785b8eeabf5fb52b29418ad72a6c3a3c2e2d2ee05684b3

SHA512
e0ca3d013fd1a63bcfa3121664f2aed32652db02714dc1c6abcfb4ee39ef097cd7345f6db9f829eeeb7ccb5bca40a84ce99d549d775037bd387f74b2e8963666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c93dec99371aec39372ea43c20946022

SHA1
d14205f42cff71da32c5843eb8893ca60e5a707c

SHA256
c7d68a549b57807b9bacec9a516fef052d4a784de091b1f18c9659f84525f1d2

SHA512
543d1e436b86fecc8171baa93e852e61b37f442302e746dfb6593d9d6984bdf088b40ffd083901ec36946d69710f3658cfd192f0f19f36c238d160411c7348ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
800dc478c80d78d2c1ba7d1921dd4c5a

SHA1
239a145919105eadae9927b73dcdffa15bfff935

SHA256
f940e5ba33857d05003cc08a374114f9384822f517be9eb63889b0c8522cf5e0

SHA512
a2fb9afc52b104ea6c59f5edf2c3bda0a104cb0e65cc5a99a650c97959f0035e9d04a08eca2649036813889209edf5605a5c69241d40115628c252a3d692486e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
58bf2cf6fe2201ac2ad7da25cb3febfd

SHA1
be261fb81a01659f96fd716c7770d7cfdfca8940

SHA256
34acf4b7641a77d1c61c38e3fea9da485dcf2a339287a53e4fffc44fa8b61658

SHA512
0017c35adc12970fea27e56998a62147f8641e20f015d3e1f86fcf593afd89b4020306010e06717eec5791950f623f3bbea67d14cef91ac3e3bc3b7b31c6413f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3449d3bc922fdbec9ecc62b80420b40e

SHA1
1b863d14fee297dc149c984cad705b361fa7a6e2

SHA256
c28bc4af87f3f9be76eb16c8129778fd4ef8b6b9ec9c6b7a5d91ab5bce1432a1

SHA512
853e9b3aa52c9cc8237c35d85bc49565e53814c7ae012bfe9708544f3116eda67756bebdfdedb18b38fb6e00212620f30cff712e05aafaf4e3c37c00254bb57f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
0c9edc5f04ff1a3157f641ef4f1c899f

SHA1
db51e3779cf093b3aa2c8cd5684c39d0b836cd9b

SHA256
decad7d7c4279e5621de57b5c1c1c91a43e81110580cac60dbefa4541926d176

SHA512
51d4698c91884c6f08c1f4213e967809ac8ddc38e05cc3c33577b25b78a93e56b03fc9168a83f202dbb0499f79612593f83fdd292611835d3994709cfaf90812

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e46c972aace07273e869a833933d1d4b

SHA1
e44bb385c741fad6671fe156d4c9f97ba51e9272

SHA256
f7a6e8b4a81da2c5aa63a169ef6b8403c001dfe82e20ccf69081bda2100e7846

SHA512
52c741a10513d26dd144fe63bdf381f8ed1a711e461bd421aadcc84c0140e1ae60878a8a5c9fb676c3f9519d96fe3dbe9874b37f3ca2aee10e9c059d864c037f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1c15a00a3a22e20972bd527ec14a7ba3

SHA1
ed30a1d5bd775f121c94bc7434abfc1c2ca91e56

SHA256
2744906359933af6f01eb6f0ba6c43c82ae61fc3b0f50e4f0b302037da97306b

SHA512
13b22e210c56c33ce9332673fba611be558669b5b3f5fa8fa530538447222450cd53820c2519ef4ed0f9554abb018dc63d23f6b8fa4172ac85997e3db833a1bc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c7d9c893a2a8f4570843ad7c1d858bcf

SHA1
5bfa89be2736ea3a8e221d9e2a9c4f0217a9d0f1

SHA256
29c15387653427de5adb7c254981f8169eb90f3d8952585d934ff289c2af3d47

SHA512
6e8ee81da2d84acd2c5f1ef886b860c79f74c4ba56a5a16957dadd845381dfdaecb972073154c3c0ccbcca72565e7d5bb8fe502fb3f273efa795a11cf5492271

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6757e0a373d7a47529a98dc54979a683

SHA1
9ad0c5c2606219337af2bedb918f8ff34a5aa1a7

SHA256
fc9e19213335a64d2b787a7054746fb786290bde897ce2393b001f0a72eb5115

SHA512
36821a496ba85dd53103fa1c043c7f374c17c1d892ceab4a5d63efc09d282cfcef09a883e2fa130407ab545fe90e81dd7d5099bd9c887759557ed0afbe99c1bb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
3ebf5efeb72c2a3a2e65549b8c5de1b3

SHA1
48254bccc536c2cca53df75a670edc1a018254c2

SHA256
a756d1c27d4d517678eefd8a53ec9731e2cbb008ce594952cd7ee5b1970add2a

SHA512
c06b350182218f0f05354145a253f76b7a01cd39cf3d91c064177f13f3ac9e5c5c08e2ca472689f85236ae8c538f3ffdb12f33cfb64948a519bb9654494ca6ea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc1d139254dac2114e62d95809011492

SHA1
3b929bd56dd12be471f6b51403019fc9b5b34f7d

SHA256
752c04d4c97abd0818fece5b3f966a3db8699ab0146001dde2194571315e8d1b

SHA512
0e9d96f8802feb0544e774f78dba8b2602c072e7373211135c629fef8b65981aaab3907908fc62862ac30be7f68f1268d46a6ca93740c8cefe8ef0934add3f44

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
feb06e3c44169efc3071ce621ac9aa04

SHA1
5a200055e8c7c6e46b2ce975a45d5b9311437091

SHA256
add63723337d055fb828099be8036444d7624509bcf995b02dfd46f915e56f1a

SHA512
f31019214e5359539f03325a2730a6f92af1a73382cc4dbdc6ccdaa6458444685ab591476ea7db1e9c73261f2aaef981f3c0deb640f1775048378dc2f4af063f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0f91afd873d893b41766b249b14cd9cb

SHA1
77e2f909e64abfa382528c968d49fa8545e9237d

SHA256
7cc5330289687487b7e52a00effac20a465a13d965129a612e725685ac848fc0

SHA512
00ad5dc7fab3bf8f53b489e69f75bae90e2c914580c956dd59fc847369c7f573c383200419ce6249dc46c70825b1477fa732f46488190a72b181020673cf46cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
32051857622e81bfca999ae6c289a63d

SHA1
fd0026422f1d565dbd5c4bf466c840dc23aaf376

SHA256
b97b3e3c310e5ae3fd2e9bd3c0d169dc0a51dc12f176f1307a60a38f88f67b19

SHA512
be8ac9822448eddd28744a07a8a7faf40a452bc22fe863c03a7a5b860e23a7014c2109a15f90e1b872cfed20de13bbb5647c6f2f2c721fa173025bacdc37d8d7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3f1a3130691a000ef285be2906ac4488

SHA1
0737b8917ddaa9cd15798b7a8ece54e09ed9c13f

SHA256
26d5aaff9247656701557091ed429001bb619ed724ab84d08b5fb61f4fcede4e

SHA512
3005e7ba3d002fe7a15670e54a2bb8fc2df71c08e4d24b1769bbb3952f8c0734702c7fcaaea9111c42a2583312731aa018dad16f74335b55d338d7d0a697e4e0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a34a7d86208934195a9238a5e6f01cad

SHA1
eb40757c7f17dd2d69473d01a12de7f3c5fd5b45

SHA256
5013100777f7b7a9a017090c060cf07e065a2a2034325842e0324f7f580399cd

SHA512
3f84e2b4631678c470e707189b7fc1885a28a012e7550409cec664ec253cf1ee725c3eef4d97e516a929a34840dac1529a4285f558be2882814b58225b717e49

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4e4bcd98c21fcd297492ed4ce8f36d19

SHA1
975da00024f02c620ffa8fc95d7e588132c29c15

SHA256
95f70bd55f6dc41fbd0bcf7c84c4ce0fbc361779e66dc591327a5c1b7b1c2862

SHA512
34ac4806dba05cedaa14829230fb62f91bcd4311cf211eddc4e23fc53a55de61356b20e031dc85ff812da383a754eb45ceab936faa74371f99cd8293b465228e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5a05f45808f8301d052f9bb5643b1546

SHA1
b04be84da9022899a46401893ac68399b51c1df2

SHA256
17f2c3b255120562007ffc5a5becd109e8d6c953a31f265f27cfe1471f50ae92

SHA512
6bec23daf14db5a94d8359c8f991cc74dfe7db99db6e226cc3fa9cde9a03dfa235819893544dd61acc954d5386d40b4626bc51330caa664079ecb18830529796

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d1817d788d6ae7ab4324d5e6520b0031

SHA1
cccf0807851b63fd6f7749805d3fffe9fe2dfc25

SHA256
33a6d5f676777ca98826ad53aec1e1bfa278e2df6b979a9186bf4c41e92798f6

SHA512
662f105d26b9d58e28e15f4cf0e8b78f4ac4377ffcfcb77ac862133b8dfc8e1340915a0f7ba217437cd1fca748f8b8487a2db557b4a818fd375be4f8de81b76b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b37de64f0116ff84abca6d39035e0bd4

SHA1
94f953d4b3a5998622343aac249c41ad3ed6395e

SHA256
754d098a300c8284e1dfd0f02e0791a8cec43d4c08da3d125ee149ed049b57df

SHA512
d57ab9f5acfdc9ee6cf354c365dabb664bb7bbc4f0af2f6adb91653b4479ad26d23ae92dcde76fa4e9f5624e300c98ef26cfc1632f2ad2bacd3ad5ba01378bb2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2bda504a757a58aa80808966b0536330

SHA1
5a3bf8af6e06bfae5e24eb96f81258b5cfa1ba6d

SHA256
2948dc07821cd01d79d14bfee855dbcedc00e3b29ac5613611826ce4000ba36b

SHA512
41e3dd36a893ef824fc216268121ad1a4ab628afd95109657b5f789402398a040080b68c1291827c97023474074c8ccee86c0ddbf97a43cbe7d131b2acaebc03

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f3f7641e91b0db8ebaf92fb9de70977a

SHA1
d0d6560c179275dd9843751ede5ab08624ac37f1

SHA256
83fbce20f1b3c4fd38caf13e873031e42f14f2121cd25669b8b63fac9a9e4169

SHA512
92a2a718b783acbc1394bc177f72935afd12464a63d702941a8966068e60a168695ee92f803a9ff34e4ea802479fedeae2e0e3370e3c9051aaa7597074145c90

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bee518ab4918adf33330a36993136d4a

SHA1
1f29ec20c8eb481a4f3a2c1fef3d7e66d9d9ac91

SHA256
668bd6b5cc50385bd4a28821cb68f3f8fb8c55c6b168a03000ad65e84ef44811

SHA512
9863c0c256dfee7f49b976d7958d5f7fe52899bd389bb0fd007015db37ff566331fd968c4ca125b79f6fa60ac85cefa66fffb8be85c4b49820efcd7b0f6361a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a86c84ab01ed4ae505c3570e211c8d84

SHA1
15f1e2ff6f083e1851736bba9f5dd8a6f3e72577

SHA256
d1aac0f0377f74a5e8488c3b77f5d397ef0de52b4128271da6b1c48c57a1e28f

SHA512
cb28c7df997fd6a45563379d404fe09d4d21d5bf7ff5385b7f4ca558291bd7a43c899fc734c0c96e0004ff68d6fde5f33cbd40fbd60f295b6b1b3afdd073f0c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1a636f8b4cf0a9954fcba099d55e7ed9

SHA1
5e2107a4d72c21c70ba17781285045cdd997b330

SHA256
638fa41d368a42b1ce202296f96e469feb9f0aef013c760e33c948ae1ddfb52b

SHA512
22d2f5a8ef84368839bbe4f2bb44926e2e868ffc6038cfb4a9a92d1bf6aa7a0e4ec6f7ac350301e57b61b28ec38f3ba178556c3383c4be95c2c7e05b755afe08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a907ef385ffe0feeb8662152fcd9eb1a

SHA1
cf67686cf3bc03ba6bfa527e55175d656f331465

SHA256
23821d46a448e7dc37ce308b1a42bb3977e2be7a8d0712ab2c78de7d89148475

SHA512
da3a2eb670119081df0ec3a87273e4945cd064d06e401efd75066f73c0b9229dea2ae5b6af7bf5a1b755c23654f40251ca1288bf4ede1025052a7dc5cf3e2718

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
d7ca208c2c455589407f99e721c80d06

SHA1
d3e079788efd5132e65f42f97a911b76739b12bd

SHA256
a9aeb8899a77876f50acf9fa10fef671c7a9382748029dea33f735d9bbdc4978

SHA512
fa4a5ba17188916f02c812a4275f001d34d765f4474a1af12f17be461682c59863511b7de80461523918c343207ab572884e51053c9b09ea2cb96d1a925c4671

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
22de6893690629333286c3c1b5d1d06e

SHA1
d97ff03da13f0c182968b8ca18ab7b521b99a477

SHA256
032e073cc2a557cb99754f770de7763e6af3247cc8a7fd82852464e3e818e844

SHA512
0449c87fd17663df029a20b433453b6591840ab61086b0dccf27ae340714acf0f3c42d2f177f494fe388416f5c70e2bd02016fe0c29d3933718254dfc2f24758

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
7b4445f4bf955042cae0baa87d1a4e39

SHA1
bca5fd6783905556e2b9e12317d46c70299cd6dd

SHA256
1b9aa34a00bf36c6d0655b983c600f2584df1e70f6648f66e8283b8c339d1d3d

SHA512
01f3f01fa3a68073c710217d17ab9863b68238e9367998cb5e1984a20a8e4b12f52f573f8ff9204c9e7dd388e06cb7626fc9083b56eb2ecbbe455ef4ba56aac3

Download Submit
memory/1004-480-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1004-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1272-109-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1272-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1272-19-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1272-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1316-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1316-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1472-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1472-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1480-247-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1480-128-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1504-6-0x0000000002480000-0x00000000024E6000-memory.dmp

Filesize
408KB

Download
memory/1504-62-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1504-1-0x0000000002480000-0x00000000024E6000-memory.dmp

Filesize
408KB

Download
memory/1504-7-0x0000000002480000-0x00000000024E6000-memory.dmp

Filesize
408KB

Download
memory/1612-116-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1612-235-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1768-89-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1768-208-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1768-90-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2436-172-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2436-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2436-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2436-56-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3164-483-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3164-260-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3460-185-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3460-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3460-69-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3460-63-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4204-331-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4204-169-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4232-361-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4344-138-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4344-259-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4400-472-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4628-363-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-459-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4796-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4796-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4796-84-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4796-86-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4796-82-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4892-197-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4892-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4908-110-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4908-223-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4924-186-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4924-416-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5008-32-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5008-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5008-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5008-127-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5116-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5116-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5116-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5116-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download