eea3e2e9428a22c764024abb90080b2968ff1a1222314b2606f441cb45cfb259

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Size

712KB
MD5

0e5fa55249be46beaffc7eb9b6100b78
SHA1

a6a7dac2165b38d8126dde16d9cf4b2ec5aa5b09
SHA256

eea3e2e9428a22c764024abb90080b2968ff1a1222314b2606f441cb45cfb259
SHA512

7824923e9ee7c877494945499355560d58ff895c5ec1bba11824b92d21d4c6eb24eb2fd72235a70558eacf0250e95cb0986282cb0f172ef87af2c765b6e7762a
SSDEEP

12288:OtOw6BaN6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:A6B26LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4264	alg.exe
3504	DiagnosticsHub.StandardCollector.Service.exe
4932	fxssvc.exe
3852	elevation_service.exe
496	elevation_service.exe
1900	maintenanceservice.exe
3176	msdtc.exe
3624	OSE.EXE
4560	PerceptionSimulationService.exe
4980	perfhost.exe
3140	locator.exe
4780	SensorDataService.exe
4460	snmptrap.exe
1780	spectrum.exe
4992	ssh-agent.exe
5048	TieringEngineService.exe
1900	AgentService.exe
4060	vds.exe
3844	vssvc.exe
2380	wbengine.exe
4652	WmiApSrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\565064b1b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d18c38a98b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000368cf78a98b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fd9ca8c98b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069dcc78a98b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006476228b98b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1db408998b0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeAuditPrivilege	4932	fxssvc.exe
Token: SeRestorePrivilege	5048	TieringEngineService.exe
Token: SeManageVolumePrivilege	5048	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1900	AgentService.exe
Token: SeBackupPrivilege	3844	vssvc.exe
Token: SeRestorePrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	3844	vssvc.exe
Token: 33	4420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeDebugPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeDebugPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeDebugPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeDebugPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeDebugPrivilege	3220	2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
Token: SeDebugPrivilege	4264	alg.exe
Token: SeDebugPrivilege	4264	alg.exe
Token: SeDebugPrivilege	4264	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4876	4420	SearchIndexer.exe	117
PID 4420 wrote to memory of 4876	4420	SearchIndexer.exe	117
PID 4420 wrote to memory of 4468	4420	SearchIndexer.exe	118
PID 4420 wrote to memory of 4468	4420	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_0e5fa55249be46beaffc7eb9b6100b78_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1100

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3800 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
3b96579164b9bab35185a6dc44062deb

SHA1
c3e50dd450a3f0ce0cc25e34b31c420f8aeacb83

SHA256
a456129d7dc12ba1b29a259460f90a431cd5e5b84e45406bcf01ee6daf3887c5

SHA512
b2c304ee75d0b716183b8a5cf493029128655b24fbc826930f33cdc03c53fbd6be8808068c67793c15ddb3cb503af12b5a16e4369ee782da2058b9b5b1f59222

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f01742a43cf902d7f96caa8477122724

SHA1
c8b63de594a0dceaa508d6e66ac4396f1b277f3b

SHA256
5e7cca1afd69a877aef6ae89adaff360c6b571ec3802efe1eae605634a71a360

SHA512
7e61afcfb3dbe7872c331d773f401d8c952f42385365ede2df6c3241114b3723c99d38144cf4b5b8263dd9950b8dfa2f5203a7a2a8a8ec7d377ecab3e7b8df1d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0daed8ce4174e97f4df88eabdd131929

SHA1
a18ca37041b05367a87f5ce4f3ff8d8ba52144f1

SHA256
d105608a440ff39e4e708a3793eb54614fe3351eae131a6976b6f06d85fb01a7

SHA512
c556d3cf2abc16f5fd680857d618fbc193a9e0d0d8cd0f0b31889dde0d7bcd054bf485d376bd79a7b651dd2acf1610c708a825ea2dd25e182186862702e74630

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
815205c9cfb24d80f9720471c6e6383f

SHA1
a2d42ddd37cdcae572dda12c58f672fc05332a37

SHA256
cbfadf3bb0e0ae1db4918a3c7586d1344656b8d29a1b05bd89ed0f1b2ca244d4

SHA512
2f3ce5772b611872a295f3c6334b3c39620ee05ba551abc3639511c4b2dcc3a7c46f28e283934da9878daeb2a506536b4dee7c8da342fcd53ae5612f3ddac907

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
026d39f9659142328238819523068610

SHA1
41b3ec5fb463e42531c1305501ddf07f48d0aa6f

SHA256
43fab5f2a3d9db6fd53317fd2acffbadda91f7fe061133c3ab5ca66df67926a6

SHA512
652ba17c8c33e7f3d12447b38738d08122d5d09438920c02cec4b23767bb72d2b643625b57bbbf0abce23b337425ccfae10c669e076a6bec0d765d9f8a423781

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1e8111ea5700157d5b4db1db92bcb524

SHA1
e62ab72ef57e5bc46ed303374bb3d5fdea20584c

SHA256
ca0854eb1696d20716bef06e18dc1200c3d6ebdd6db39e530ab462c2e88ae824

SHA512
a947e2cee32f98fc47b520bce1180e067c1046849a34d4a9cd660f8865c59054e32968109cf006b698172e5acc440ab31e70d2af8c4a0eafed0d9caa1d06db96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eb053c24e3d5fdb1c597f2212396a7b5

SHA1
645f15d0a9ea9d79a6cfc8a1d94cdd6c01b759de

SHA256
f0897e9c931e7b0d7333512902594ae480a0bb353e89157b4ab6fb2848a6fa35

SHA512
77506c5490f68f8934140fbec876daa7cb325fd3e55573d553bb8f1a908f9a8c74acb8a5da6c1f2f664d16ddd65d671ed24daf5b2a0406a2b0263bd9d39e6706

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c857c6b294d8ef2a1ab55ef758994149

SHA1
3e218440905132d1f962dd825ef2ed8a10aacf49

SHA256
50613f3e3a6bea384f55ddfcde70d7857e118d1c1782d5313e1041b99188cd6b

SHA512
de47dc3ff997f454d88be51e6753401defe4f557778b528de22eae9d87026a1dd43a7c3f5d485d12bb4d6859d98e6f134e98724928f38fc51bbaf9d2fd3c38c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9f7aeab0cffc80d69b20366915317e5b

SHA1
6c60b798159ecb0f9cad8a65e83debb9d8cdbcf0

SHA256
35d36ed941c68f1fadcbddd3cd517428509fadb7f9a217d7859af1339d52e21c

SHA512
b32e626d2762f855c7966f462a1dfb026adba67115fc7b5eedf351a4cec3f913c46f599af913fa86a20284c06dc7c991fd92248b418c22c38374d88692361730

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
33a62339ddf03c5249bb110fbe12ba14

SHA1
9d95099ca2419d8034461fa57a38e8b8e5bd31b4

SHA256
53407d9319c82a304dd0ae21f224802c5f3b86e60e8042315d1ef777f49e3fcb

SHA512
b0101439fff26f1ac87c1702957207c5e3c213684631e8f5e822d1f817592058058d57cfb472ccad7e04e7c1ef0f41a0b01d4008e4ab65b983df0e99ad03b1fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4f419d21012d9b82a95befd4e1f3183e

SHA1
360509bfca81ae3011c1bd3b39d87fad24b0e3ca

SHA256
8d885604a63f5a535419a22f2c5ad73a306f3979a4e2b5e9ecfed9bdad38f723

SHA512
dd503cb4b90a6df00490bfffeaaac35df4cf3a2c07b76d64f0c82f71af02cb2f453c83352f9de70e4ac4749ce7a4eb64a034745bb0d5bbcf4c8c3badab4a851f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c9817eab55de8efdc79eb84c3b297854

SHA1
be127d4742b5c4b48f1b051cfe0aeb2d795375a4

SHA256
d81763b6c066f13d449d5db1c57711d44e8f4552eb0b6e57699723b3c830a679

SHA512
c5d3399bb6569a19e6f024517e4fa21285e4294acbc47e218cadd026d39ffc801d467dd2fbe3ca2358cdb5e82fd7d7c6b51c04c03a364088e7bf4a8b15c86a39

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ab3741e7a78d415272d5c75b99b85ad1

SHA1
3ab70856d88b8f036a4224fc2e3a5b2a2cd7d89d

SHA256
0092eb0dcdc6f98ddaaaeea386c3164763455e88b7e04459a3f611c043bd2475

SHA512
ee6f7599823700681f7407f07ae2d270a4a4aa63ef780d1e4adc799f7e3ae8d86af99e3c6278c65ecc0c98f7322a7556cf13f0356cc2bba720102c634dd1b240

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
61390a8f649c779e1af42beca20d5f97

SHA1
055639107c148eecb19f457a96504b5ece666e99

SHA256
3c42172942f07db90d1f4b6f85e32baf13bb416d095ec4e0f110646c16891ed1

SHA512
e6dfedf3bcf49c972980dfc2abd6585d257e7ad1f6be5069ce344c0016b014fe67fd52eece2d16f71eada81a621c55385e2e06e68828f697d969aedb261fc4e3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9324fcdc391bcd5717cb8738c17ced22

SHA1
527e71d6245df10ed8d4c2996eab19aff67feb4a

SHA256
e76f25003acce1de38cb47663fbe4920b5061a18db227fd10aa79b2a590a8b30

SHA512
554c3b7ab88c8a6baa6488054cdded6398564392f7dbd77085dfa17245ab6a0cd6c466d82c20c597862e1497de7c6b44981a8832a77d5dc737ccaa939151745e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6c8809bf0cb44be43afc26944ecb385b

SHA1
eb61eb6caa1334869e7300acf4ececa8e94db92d

SHA256
f6043113e4134722195ae36f8e4c890e47c9f5cf3ef82983b1744ec8dfc19cf9

SHA512
339b1429aa68cc4dac8ac44e05033564ef0f23b24f93a559d4ecdaddfcb766bbf0acfb78b400c437e3525f6df24bc48f8be461960cee470e10d9edd39fc32736

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
69d8026a442052233366d7aad73b7ae4

SHA1
7dc4a671e85f79947257c9b0fa511fa481d66ef4

SHA256
c6a33b65263ecb0def7f0906e91b5cc401b718729a1f71cfbb2b7a9a065bd188

SHA512
fab286b1feef78c64b5f378337297ad545ff9b771db077ef21f31084380f6edf09bec5b74e1cd95c798f848817193ce38a20cb5eac45264ce5e03a7fc4f3db99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b2b5d7d0e16364db9db5f2c660a2c473

SHA1
4d35b213bd5810d54b79610a1b9881496b757c2b

SHA256
1c54eadd63e754e26e9f425aa973f0e30478776d6b263411c5c30f739b4a5f6d

SHA512
217ba1f47106d87efd0410978b0eb521f54ea96dabd95058c84c49b631bf36e3da44e4bf9dd323236637f3376bf4d36f71460377bc85552aff98f4944ef49194

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fd2313d3b9ade2e6a5fd046277362c9b

SHA1
604b851be6df6a62e642ee24b453a338730cb4cf

SHA256
9abf2d1c3e3e42c4148dd937a3ad34f454fc7e9754be2e52d2a91874a44f1e99

SHA512
a31067f657f9749f4281b5e6ec912e92aa5adceffff734a11fdd650fd6a3f48a48e314e150b82e1e6315672433fc4d2ddf99d196db176a5cb55836595dc31fe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fc8787c201ad67021f40167685493dc4

SHA1
1344b3f2476b4a294cd424375f791caa07de687b

SHA256
b0c643d0222d3727ce776c7048b7e6788fe276c833d387dbfe32586d7fb8f1a4

SHA512
a84651c981d6ad387683bc01c6fabc60a1375063c0e6457f831f363aee0f7821da3162ebc50195dda1fb82c2a4d96eb5a71bea09a57be103b33fb705fec24c8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5b6ae9724e154465e7cb7ca32d79ffd2

SHA1
e515189075bfc81469598514c7e87cb098eb5bbf

SHA256
22d8da7a127df8d76df29b00139df737d4d768f272f74ffc4a776ec0473faf32

SHA512
109dd73e49830028cfd7ad8a5068b54773fa294547491038858abd18e1d425a889da7f9b6dc0510a953f627df02ae16aced2bfdaac3a805ce4b5e008f2bc2c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
61720bf3301ef4b44f2f16f98be4d59b

SHA1
bab0e3a6014c4a5456f649bf785a3350e5ed0323

SHA256
09a7f84460aa5952024070655d63ae021af1d890c7d280275406c6a79e40b72f

SHA512
4f426868470d0b5443c4d4300b45e6aa379e92f0c4150c136d7ee622cd5400a35d1fe2c38440030783e21af46d70693731c478dbd8d140ff9b8879a251892fe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
18af53847d85036a6ef2f24767bb609b

SHA1
441e55b94f567a00e10a0c55836e9165933461a7

SHA256
392175f3e8be61f772522e596b5614b86d39216c82cc5113a0c2dee30f3d4989

SHA512
9ec5a18f60b0b8b5b93ce34f80daa7188e31dcb95d00d49c35e13de988e48ba998e1d3e07711f459f4d02a40348b4b42ef98d547d1730978e407127be9fa8569

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b356c14b84d294782471adaa8d9ae651

SHA1
bb7e67ef858a85ac30e4f1bb0b05d38fd198945f

SHA256
f3a8eb4d470ffb92ccb48ca29e720ab76e21503abe69cefbdb9240afead3e735

SHA512
e5e24be0d5acc2e31763653d07c719414be4a48573922506b15ff56739fbe7b8dbbd2606d8e8ea19b0b871a91ad8f3f3ffa1381183059cd9bbadb95c441b5749

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fa14f4b892967daa5b6ffabcc2ecd06a

SHA1
acfccb77a7ad99e56908e795cbd06e3191184f39

SHA256
9ce8211a52d88ac6acc10dc272931270b1dd569a5cea0a11f892e3469c8142cb

SHA512
aa9c1f73bdca5efc9291fe0619598820b15474b1615e6c61b0223c58976af4ca9398fd6ebf7d6e5322804c1e77a0ffbe28e96db77d35105504c0294fa848e299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
00b0cd96dae44622938ec60750a1e917

SHA1
db8322c98af7a4ce8043d0e6ea9a1932c63a718e

SHA256
80bde411b13564b4de1ebc3c697ca82312033fdcfbb734700c1172ab394009cd

SHA512
3d58f4731e7e8e351839f646698c1a5360718b2735b8ce14be056ea24a2d53973505f70403c975eb1307bd7bb4a214951047360143598ae31ddd494a09728950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e3c7d1ac5bf47d60422829bb6d1f9c94

SHA1
01bc151b9f473958cfdabb0a03deb25675ae17ea

SHA256
4fff13f7e9577c9b909128fafea9e353562f44e2f022a49341b81b43918fd6f6

SHA512
a33856673f6983080f69fea186439f6f1abc7b3faef2b6b426ae02a9423caab9f5cd110cb03b159802f8188efe14c669e3e9397241fee9789ab29b2a3370ff7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
3dc1d8a41e98516ad92cf0c8337cd3b6

SHA1
023b5c102fbaf899dae283a50fbc71d553be7f5d

SHA256
1a33e4c85e44ee5ca647898b84dc2e06fe105b57bd6228a43fe0ddeac4b65109

SHA512
90df91c0098f35b0381db5fccc25e7875b0dd3336da260f22f27c3a18d85bb2c8de3ef0747342dc98733197c07ed874d7bf94489849eb6bcbbd240090067ef84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
581KB

MD5
bd9d60595f64e99ba815391b2a1c1ee4

SHA1
3e0e1ddb6534d6d0abf8ed00a945f9ea92d19698

SHA256
23d6d3f53170d9a18e43828f0318b76af888bf5dc886e2ecddcfdfbc887556c5

SHA512
0564cd64cd6c5aad4910f278d53e7c4ec1ea485488b1878d5aefaebccbf8305c594c6f2c32ed139e85201287057ba79ede12b809a69f34198e450dfda5866446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

Filesize
581KB

MD5
081167c88d64efcf8b5f438159f59269

SHA1
e0233d5116d9befd8d75ce21bb78459473693ddd

SHA256
2e8e37c8fa1571ac7530770fce1c551b0691a8946856d95e058f2afa5ad201c1

SHA512
91882884c0eea7a83f66db0dcd37fafc4fd9ad0da82d293ba6f70e89e32e6cbcd1514338367261013f43613c35ca1e972bcce74b87ec1b28c50e4023b21918ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
581KB

MD5
4c05c3d9e329acc45c830024205e3e10

SHA1
0bbd484aa509fcef19253cfc58af82d06329f443

SHA256
8cef14722ee9e262813cfad2379e274960e7e2fcc8cc88b9dca5b0e55c8ea481

SHA512
eaf84e6fc0aeabe10924598cc4ad179dd1b38850f9d8548a00b44c4fed3b8f0ff39306df3dd9e3913c4a0c6a5621a9c8716544aec04e4d75536cfc7cc9bb0773

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
581KB

MD5
3600126ea7dff755028d9a4b402347c9

SHA1
21f10661f83543585a59b2f339b87fbe994cb5a1

SHA256
fcd1a69966bc32167166e9118f68e9c8a7392ecb82f82093365b6b385d8d6c87

SHA512
1974603d9cde2bd9e6d9e3977f57bb5add45051483f208899bf1e91384f6b29fc3a09aa98c92c4da61928c39973bb453e8c341e91e47ee192deba53997df6212

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
581KB

MD5
81d39c5b2214d056b1cf9af5cb8b5fd7

SHA1
27e91609f79daaf512ee55e5621e6abdc02b1eba

SHA256
e416ebba3207284e352a619c2017672e697dd4f7b3be931e3b8a247250e45a47

SHA512
ec553f007f5a24241db7182389d9f39cec826d709b0aa1ae1a124a8a035cb945f03c31167d7b3f0abf2503bd2ccb4fe5ea43f263fc9482c8fa74fce040478590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

Filesize
581KB

MD5
952672493ed8caa50c7cd3cdd9e9e0b3

SHA1
b8b06afa2de502bb458c947083f58e012fb24ea5

SHA256
8be53a11a509b2be13058ddd39c41c604ee39172c917d506e92adea6989d1675

SHA512
9b739db56be000ffa580814fe09311eb6c0d8f3c15154581611291d388824c91d0a16126cc8e7b4d089aeca07ecf714cd743c328c19b116874bd2d2b0c1bee12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
581KB

MD5
cd68405b59a0caab05c2fc018badf216

SHA1
3ec4142d19f1d7a80820490eb11e332215932e3e

SHA256
c8b5b1895e0a51a9c2688653aba9496e300c8a10ba0494a01635e8520fef9100

SHA512
b122da68d5292c1e31210fbcd03c435f2093d2ceddca5c5580b5f5fd16aab19a6f4203f5a607a3903d0e229c058fdb7fb1585facd0136c0887fac9841f319801

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmic.exe

Filesize
581KB

MD5
260b4c472dbdc1f670ac93f9dc9b6261

SHA1
e7076c5dd22ced1bbc681ddf702ad409d2c2b90d

SHA256
13254f43e9ba6d77a6aca6a2f364cacfefcc54e592dbba028639bb8d7d16b365

SHA512
c908ddcb29160d3996903691dde6abfd7f4a95fc37d69276cb92b9f7120c84bf3b5115a36d40afbd01d63eb96ec03e8f50b9770a50f6c9d3f4daad809b48666d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe

Filesize
581KB

MD5
7f7019fe84a59b1b4853f3ee311afa95

SHA1
cddaf1b76cc912f4d622bb59bb526e01ad20e0cb

SHA256
319a10795010c98033dec6f4e54fadcd1b53ee87b11a2fdf52339d31ff0a63ef

SHA512
d21b76948b221186c0dcc11d8a95bff9449cfe9f62cfe998aafa3cfe49ac00656a5854b5cc65de6c95e18baae4e433e1c18760553c2ee27790919f1d17c907a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
581KB

MD5
cf7c415b2b4f251417bdef064bd99699

SHA1
08003c0106f42dcef05a7eecddce37eed36491d7

SHA256
0bbe611b30dda73a531086f7463a6aa0340712f0f1dee3dfb921e1017fcb19fa

SHA512
5b6a9ba35989626c0cfbf4e0091f0a5b3a4529f5616f0bb38f6db21ca65bab02486b2134db54511a0b442c09c9032343bc52c122aafd1352d0bd1989670fa7ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
333ec3b8c49a456bdfd4d8e9e37937ee

SHA1
69d71a41e667d5e4378a8d054e8ea39f74eea999

SHA256
384af295e807a2f4238ee7d75ee52d099f1ae048c972129864c99588ec122140

SHA512
4d481cfeec872583cef798b0607a4ea99845c19cc418854916aaf5c8b80554bcf97d24ed69fea4a871877850620da7710f571d34fb0bc21156b4386a56255819

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c77fd929d0afae477859761b9850e8ed

SHA1
fe0c8746e6db5bef9eebef99c2cf1e2cbd71fd2d

SHA256
4556685f0579c1f09e04eb4752d3c000d0e4b802a7e883ad0c1d3fcf518a1133

SHA512
9d8357115c3ad022f2fed0a29c08ffa2393bb5c83b9ea02e80c2df6546b9aa77222cc25ad898e5a81a4e8ed571a95e24fd23705d92f67da75d54ef61fcd487f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
749e6f4d29188470a02f264350a67f2c

SHA1
6a319f1471d19c66865f0298d034f5b5d4a11336

SHA256
d460814a93c050a15c5279220de623df9836326a8e3f4a3a6e5b3373ce379da1

SHA512
758e42d1da808204bc805bd03b8dc59a2f6ef6775c3f2a33da564963294c8e30d07fa240ecb4246cd48d8d7628acf5d92b143dcf2232bfc4da0ccf8d89052434

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
84d9e3ae2f30d10c8f33864a950c7544

SHA1
3300837b01639b4be3d5aa02b6a3a24351c27955

SHA256
cc6b96b25227a9cd9af9a9924f8b590d6eb30fcad5466f41a897788190abdab8

SHA512
460181db39640612165d9ccc19eafe54349876e1125fd31f36efd8b0dd86f438e4d1a1c5247f9d309a1f94fca874afb68adc3b405f25f6e16d6225a7382462ec

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
fd4bdb33f2102af40f4f07b03494734b

SHA1
1b414c4fe00fea5adff412449333c5ed39cf1738

SHA256
6c17c28c26a33b6bca96d068e08dca1d79e7ad9e6ee38bd4bbed32e3827b3755

SHA512
42a7f3df8bb54b1fa13506791cfba7b32117a3973165cb18bdb6f218c72e05afd93631dc98764718d8b3207051a75cf5f908e7b5098eb89efafa49a53deb1b8f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
86ea7fb1802baab0f53f87fa995e57a8

SHA1
ff381270d7b3783466fee7506f181f7846e85d3a

SHA256
69bfe5741edf7849fbd2d7f8856cd5cba1ff273b25ae8e6d6fa3899d19182929

SHA512
e7dcff2b7e2912be90af50fe7259ac68b54ca88ff5f3c2234c5c07dc8598c0c5759dbf1bad15107a8d0307a4260cd65da8ab03cbc05d16d40369cd1e7751c0a6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c7d9d469080ff1b787fc755bd136c8fe

SHA1
0e6538abbcda424965bdef82410af099ebdcc054

SHA256
0124fc280a4c3362144b791190e8087e36a57409e13a5a4b31fbc9408d571dfa

SHA512
549977b51507a4e534d770f07407a6ea1ccea87d4c582adee3e6d86d8d5d78a534c773065fc88e0c3d108368d5f70ceded7ec5591f371b97388c2d4c4c2feabf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
891f2a20e9400817265bb22d37af5722

SHA1
b69e16c60314de7a51389395acc3a55e996236d9

SHA256
afa31f78a154b3ebae6de10c60d6a1fd4a3db8c0212a7217b0d35738c1068dac

SHA512
2606c577530c29b15e08467ada2b46dd6baf64f68bca7ab01d46242b86e63e74d1911ab2f5ba28a061e4d5aed8a89865e52e4bbed6c2a22da3103e6544b45a85

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0c17a09c0360f18df8079e1d49be7f9f

SHA1
5b3fe67e4956d0f1e883867a4972936a5f348aa8

SHA256
f98390577a45422e0f3bcaa01c3e966ceef0ba7fb578af005ecd47be88616d6f

SHA512
24c8507ab0846c7be621d35c980aba6a09fa83b0e1a8ca30f32fd722d0832635a3bd39ef94f6b192762c1fbc462bb0f17f8f0be15e0585c789a5d54a56cdfc81

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b943ea2909fa767a235e93fa43b731e7

SHA1
56acfc500119e2dd62360e28425c58c9d2c6d505

SHA256
f6d34fbbc2c7ec19d1e6e87a8902536b9a0b44b0678dfe1180b918f4643ea818

SHA512
4f381f0c163c3cfe4170437e369f568d25e0d47b0e33253373801774c89c3db9321f618af1521121db461928c5564c9b776edde576ba3ea3db0e88d445146818

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
59cc6c362451b979acc344fcd39efbbd

SHA1
987e95f9567db30ed7b8cc7f094c4cd0acd5f320

SHA256
c82d6af98e32c8a35c2aba2fb21b9d03b19d313eb4068dc36f1928f842aca4ed

SHA512
5672226d3877c8f5f35f071a055dd6f99acb568b9c0e1c9513c4a7ab5f4bdb7df9e3209b573168d35dfff045c88963145f643e2812392f7f1bb6de8f4d1fbd23

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
55227c4686fde01f92faf59d30e9befb

SHA1
ef8c95d3c4daf13e603207f7d00c5da7e1e8144f

SHA256
49abc16401fdd8106b7d2cf8f7c1cafb3f349d457a19c5f512874adc16328298

SHA512
199a6dfa92fd227de32ec651551cc5b1c273079809c8e151b3270688272ea1c9aef98c3afa0924c286d05b20bd36c056dbae402958b8990337ef2ebb467c7154

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7ee69535b69ef88f10fd0c9962861b7d

SHA1
ed621f1d7311d12fd539f3986e4fcdb67e0c5e6c

SHA256
2782bfae1cb8821a9ce1340407eb4baee9749e3caec87c1a7d891a0c2cdf3d1c

SHA512
a8655c7b60b7ed3c78cfc00594865c26efd60cc70221e658e97a617a5c432b16774a6439b66296d1c25d305c6e075617fc42dc6abd0012c73dad359bcbbcb09b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e4393dd9ea3c07e9051acda3e129f343

SHA1
40e0c5e678c82779314615a21aee12f10542b216

SHA256
b1b60b2868ece6b52713ab498d06ad04a7f3146e6145cf42f87f4f260b0ba63e

SHA512
caed449d71a04260b7ac0c05a9f6c8edfb96eb301b7d8e623676eb417d41f93cb19d4306504cc00c7dc993d7fe38c9b10a9ad1e730cf9fb68a5b0c5e84131018

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2e52320cc1dc83503a888d567ae1f52e

SHA1
14081ab71096c34bb247c11a6c6ddc10ccca60e6

SHA256
47f928fd78d6192d9df9de1c7417d9ae12298d0d63a92bc008a1ea3afaa014a8

SHA512
a2e71ad545836b00503ae4c282e9c91ae7b016f37e757246f12e93f87e9c99c016c6e6be71b5e10ec47ca5fa6e6e3854eab52d311514b7d063a86cfadfeacbdc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cc32824ca20b98b0cfe655b8c985b39a

SHA1
8d1555324484a27f3fd49ad7f4ab38847b602899

SHA256
4a926c379928d454430cd6ab8aa493d5e2f12532cef5793ed80e4819880444a4

SHA512
48ab26b95ff65a713a698b2a0a6b1ec2ec3177f02aaea84ac8e26cd8a0fc2fd5dd33a351a5da67552223defebadcc9b17d49ac77ff7cf24ed4c6938d19861ef8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
44ba5c6631ac5b3eb82f5bc86b3ec892

SHA1
9d1609d14ae3a78fbbfadccaebd67219d233afd5

SHA256
778dfc6c9682f9848c59dab4c71fd179d198fdf3308c86eac746cbcfb1d3a9a0

SHA512
a7b4aa8a4dce70239e3efa1baadbdfa98286d364f14f5f2bdb4da8e84195fb06a96d3e64fc3a7c60bbf14108a6b361623c25df3c9e0f5dcb5f8af3b6986a422b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9f0f6881cf042f5d4cedbebb7de56442

SHA1
fc92e6cc3460f22b19098f3afddf02874dd1380c

SHA256
f733a0ca80c8f9fb8409178e61d7e537e1a6fdb3d5db4127aca376bc21bf180e

SHA512
25e362603980d2fab98651085259e6b11e665cc03b9ec0c492eff465884cff7f8938c8c15bea516e268507459d43b03b46e40d4d3b613145024c271d7948e899

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
47ce33258c0346099ab2defdf79f54c0

SHA1
42df47a72aeb3103d4af3d6460b9fee1e4940722

SHA256
0da3b8c3b56eaf341463175bf421d4b1848d35b9cc5ee5128315437dc2ddabb2

SHA512
1ee339eab2613f471a00121b8327755997949bcd22b55fb2e1d052f8263795c2a74edea04eb43174d0655bd123ad9d865d93b6a82de1f65cf914a0b14ca8e928

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
24488a04e23380ab0d470a72fae08b62

SHA1
9d72e0927c35fddfce5613bd3f4f0fd6d7345908

SHA256
f27f4a1ab49afd10901438f0a340fce5c32be29913dfb22d40ffb7df8671297b

SHA512
399ef6909764f40cf951aff95c95fa6d39a2be5297e0a0f02629c4ef0b2716a402c9ab3b4b4951391e2dda4a6b53f0b8f734ec681263c571c7617245c28349b4

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
79f1715b0443ae3428e571fb4ebbdc25

SHA1
a2b466f3f0f020084a1cba65e58248bdf1e6ccad

SHA256
ce9849e3f307eee62e9a5a3a11d6243329f62020dbf9b803fdd57a6d545f5303

SHA512
cbd6689e34cdf8b0dc93a27183849f2b7a99dd8dd917446ac3885841bdefcefd89b078fac67b6f0b647e9c6c03d0861827f206ad6427c0b6b800508e339eed3d

Download Submit
memory/496-179-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/496-71-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/496-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/496-63-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1780-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1780-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-85-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1900-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1900-88-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1900-81-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1900-82-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1900-75-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1900-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2380-397-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2380-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3140-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3140-247-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3176-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3176-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3176-91-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3220-74-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3220-6-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3220-7-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3220-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3220-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3504-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3504-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3504-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3504-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3624-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3624-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3844-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3844-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3852-60-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3852-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3852-58-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3852-52-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4060-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4060-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4264-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4264-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4264-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4264-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4420-415-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4420-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4460-334-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4460-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4560-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4560-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4652-248-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4652-398-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4780-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4780-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4780-257-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4932-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4932-38-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4932-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4932-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4932-48-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4932-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4980-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4980-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4992-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4992-382-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5048-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5048-391-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download