844f89b2e912a2697c85bbb20129599114341c7187118d7a0488a8f4ae092f0f

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Size

1.8MB
MD5

fccaf83565e779c83da236f7a44faf53
SHA1

e2349578da14b89504ee879f9417af6310dc0da7
SHA256

844f89b2e912a2697c85bbb20129599114341c7187118d7a0488a8f4ae092f0f
SHA512

917994aff35e00fe6ddb94d05e5757239e3f4b5dbf870264da4f4359a96622b41d9682b03598eb9c247719ff4883af8229af423ba86e755535b77bda51546ad4
SSDEEP

49152:QE19+ApwXk1QE1RzsEQPaxHNWdPGM7nmoOl:193wXmoKOxB7nmoO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2268	alg.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
3840	fxssvc.exe
2284	elevation_service.exe
780	elevation_service.exe
1700	maintenanceservice.exe
2564	msdtc.exe
260	OSE.EXE
1328	PerceptionSimulationService.exe
1088	perfhost.exe
1224	locator.exe
4588	SensorDataService.exe
4532	snmptrap.exe
1944	spectrum.exe
2140	ssh-agent.exe
4656	TieringEngineService.exe
2240	AgentService.exe
3652	vds.exe
3000	vssvc.exe
4540	wbengine.exe
3880	WmiApSrv.exe
4264	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\36addd02b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea4d4cc52fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64e14d12fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002854d0c42fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aba973c92fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000389a8aca2fb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006963d8cb2fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b997ce2fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeAuditPrivilege	3840	fxssvc.exe
Token: SeRestorePrivilege	4656	TieringEngineService.exe
Token: SeManageVolumePrivilege	4656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2240	AgentService.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeBackupPrivilege	4540	wbengine.exe
Token: SeRestorePrivilege	4540	wbengine.exe
Token: SeSecurityPrivilege	4540	wbengine.exe
Token: 33	4264	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4264	SearchIndexer.exe
Token: SeDebugPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	2548	2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Token: SeDebugPrivilege	2320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3944	4264	SearchIndexer.exe	114
PID 4264 wrote to memory of 3944	4264	SearchIndexer.exe	114
PID 4264 wrote to memory of 5092	4264	SearchIndexer.exe	115
PID 4264 wrote to memory of 5092	4264	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:260

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3584 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
d36c3f4a6c2f13cd8686f6a0a92c5b12

SHA1
5d480948e38a5d2687c45ab7038addc1de76e323

SHA256
8193af4a749c9dd6ba13eb8ff827ff4ed90c11c5a409699131c4a1a95c856083

SHA512
9d86fd616cc0caa4b86b3e95e6acd64e6e8baddbff32e47a069defaba1b5930ef2d538417c2a2af6899c443a7f04f6a1f700ab98393c83d7d1cb3f54c2e3aeae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
93bde3c9bdf6a749a6a1edc49efc2813

SHA1
33f3f758c15d26a3c89c5780938a0d42672b181b

SHA256
1fc9b583896d14fb69150456fd8cde17e1ffc526e99fb6d18a7efc213eb5829b

SHA512
780f706cd4888c52eeb96801699741e27f67be0901c0cc6097fface2d378832d4bf58b814c5e49aa7f8de97d27deefe8f9864db93a66bc14c85ffce1aaed696c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
57a4101c122db3278acafab3d81ef508

SHA1
d752cbcfa4380d25827304488ffac6303a1ee44b

SHA256
73b3b396c5ec44431d094b40194b1604407ab77aaa35d2c285f10abd5af03ee3

SHA512
d301e18c1fd927b6d112256e4f9105adfdfb1dc3967f155b950ccf1b117319692b110f44c841688dcb7a154a13e622fb87a69e73609ebfb6ddf56097729dc5a2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
741950b15b176904b75ca510b2b6352a

SHA1
b0a9008758113c23ac983841c37298b10a6f1ac3

SHA256
8562c6bdcf557d90ffdac74bb81c480ec6ef3a6182b26daa8eb13a644315af3e

SHA512
a865844c988256071e1508514a8cb9c00caf962a9faa20ef86fe5f90248f4ef451f634adf73724ea147cb6cd257b9e414e587e7a096cde3edbd31359683d5e9b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfce9f479a154d42b5c32911abb7264f

SHA1
0f0afc6bd8c6c04a634969e7d7c1729109b9b5d2

SHA256
14e9bf408eebcaeea750d0ddd518a0bfa23b37afd75eb7c9527ea3be13ad852d

SHA512
93d003576fdf2e5e4d70347a81b35bcea2a22745705666fea722c0139b74471c4195d0a3a0a05b3df210cf75b5c687fa18efddd8278485abc50322fd9ebcc67d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ed936daf0ddccf802bae0262e917614b

SHA1
62e27d4a177b6792ede448bd8028c240c08a5263

SHA256
0ccbf577aa30540aaa87c9e6588c14fdda4a04966fe67dd557a80ce75feac558

SHA512
2f1270ebc9fa07a667d585201360a75a55a574f6faab2ddf78b8267a947039b029ceb4d70bc3191f3dd76bcb9e3e7f5cd83101227a20e3bbcf1b076ec1a3c542

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8215ff48bb7192151fa63b1c7cdfed27

SHA1
9bcca58e9ee0263853b82231f627eb6aed8eede1

SHA256
e7542cf2a2cf61090fd31b78aab0e9e2cb8664c473bc050b2cdfd5d71497e71e

SHA512
a52e0c41a6894a5ebe317b4573b385088e6153f18f0bc967aba5ad58c5ccf97f3ba59570f1b72413f7f8fe5b270d90e7db24f1b5f4817b3a54d679f5e2ec2400

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0c037ac4c627962de5b0fbc8157ca04

SHA1
ca4cff8d2c71167e3babac9a032f889559777892

SHA256
90f9d2e764d017c8774d95c722993f837623b94f5cafb8f05a6e61410ebc7629

SHA512
f87be33fe56e51a296ef94d4f726bdb482d855a75cc677bb9215b3bc94c076546628bf5d1c903c5cd561eaf9c40d8c41902ae12d2890361c103ca22b7c59afa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f87a5b54871d0aa49165d35389006b45

SHA1
ebc1bed617d9c0c7120437b4c2c9cce150dd318f

SHA256
2cc7585835eb62396b15c195d11d376d6719ef7f193fa4fa90c104bb23d6f173

SHA512
a564106078d590b8318f054e5e23171e1ddea626d84442e417173b3f2f3371785d36f380a08cf87a282081d7b44e2ad81bb5e77417af3aee9dd4718b68a3d5c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
512adaed8a2d370d5a26b15e7a3865ea

SHA1
66d4b93dbc0c6baf8a75693817e17b2d96cc7ec5

SHA256
9aec8ce15047d79f0c208f30964e9437e68e9083223962c7a3136aa44d7a1093

SHA512
fa53981a14e2ad6f59ea1f82e48dbec35c181d1869f527ac17df922cf2353134332d687a599be21e726be5b3747bdac333e3de296f7dcc798eaafb81f240a5e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa54f8e0989a58af819e33e25f808878

SHA1
6a904e0ef8c3041aec3cf7f66afaaaf42ab0d4d9

SHA256
2928cb25004061ee9458ea6bc1a936c62a93757d0788efb006476042ab4db1c2

SHA512
0e6d44b7214f0fd8f8dffd68ad1e45afaa5b340dfffb5126a12595af2843f06849924bc42d6232abf575c6004b58af5ff9997ac3012db8e80ba19e33525905aa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3350429072ba3260eae90d3f97a85617

SHA1
10426bfaf6e7d8676d229118b615712edf9d037d

SHA256
e52ce6502ffad408b7fdc59e0d1930e31c1f8f5c18eb9db4b6f950d20ae6a965

SHA512
1d2c461cff30a0a464046852fc8c2e06efd446dac49f124c53a12985666aaa66bc7b96f76f7e4dc83380229c6baa7ce51b9f57886ab55beeac929e60ccb7f69f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
70ff61ff2abdbbaa29020f1b792e1d5f

SHA1
fd80f28ec239da154ff33e95e433ab00231b807f

SHA256
2318a9ffeb791870df84d521875be4bf4ffcbefa1ae4ca22c2a6a39550087505

SHA512
54b32852377162bf8e465f72c46344e118cd742cb4f26b7852763fd9767a30bbfb8d0cd52da2314c32646cd89c1f950a344421b4cd51108a3922b60570065b53

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1ea0193302f9f5500bb21280454627d5

SHA1
e8ad10296c19e12c99331f9865f08629a5eb47ae

SHA256
a31672e8502754d249739dab790fbf1a5e73b095df74676593b5593ab8cdb485

SHA512
ad70b76b8a5e919c4b53f5092976d45d0bfaf6d1237b49a4fa6f08931c4d891298068cb8d5abed0f073d1005658172441cf5a261a5553ec848c075f0530010ba

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0a9ab25dd7b7aed8c6b5b15dfc1dc01a

SHA1
44fbdaadd300c0e47989a488c96cd2b3875a3315

SHA256
886a10cfdcada9abaebfb096fb4503bb3f516735a511d5d4f502b30b1ed4d2f5

SHA512
c843b2f60110bd36a3ab50970641ae4bb70463d5287ae94b862d69d3d584f3db2ef94ab5f39d22cc149651eaf2dcb3821bb15d711d660d069b642acd65b85f08

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5db3020c1faf595b2d01676fac184888

SHA1
913c990bda7fb83832bbc10bed25f3caa1912f5b

SHA256
752feb9df1700620b9f65e9dcc84bdcf5b20f8c6a2a371fbc400aa9750078bcf

SHA512
2deea0415e1a6c913b69edbb2df600aca01fdef8d7c7ca0b1de6562717394afd7ba43ec890b878a005d8c2ba18564dd622edea83300de30db21739f03c67babe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
ec99433b7b430d404b823ac98edd0673

SHA1
cb9c371eb2af552fdb03c0b65c8ae588fbdc8d2f

SHA256
802328a883b34033a81a088681d8333d430dea21aedf65ee08872e8edd0d5851

SHA512
3b8844c91d48862dc06712635b36effc064b3ab0f12ed35eaa44128cd70a82a7b430888edf56d68af1bc064394f1929b963a37ca1fe9cef3a0a17db0a28fdc73

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b4d113bd2767a7ef1511010a3665085f

SHA1
efc8f859c4d72ec40c68f50b5b4eb57b6165b685

SHA256
dba05f99f1118eb43b641238b856c9c14cdcd50018b26c3840a6a96b0b39fc93

SHA512
5f89c6ded0cbd8abbf3cd6ec2ec822c3e4eef0abda644799bf68582bb93dee6ffbaeec4ff17636185fb6b277671ed290800c11cf21c5629571d12d1296b006e2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9212b92e63e818279156d8253d26b14a

SHA1
64f8c69b49bc4c021c5fb2d4095623e6183daa55

SHA256
66d878072dcacf49884ce5f84b4b123b5ab9a921260c57afd20238116063c227

SHA512
b6ffbaa7a8eb527c830fcfa6e087216e90ac19e16c7b3f76bcf08ed7d7e9319f054d923733fbe94b93b88ade69cc1673fdc80b0b0ce882c8dd64748e8d2b0bdf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
2d079da3837fdcadf11efbccf18ad772

SHA1
2edc3292578d585da295e4c41b03c24d3a9000d3

SHA256
b4489d039fbf84e56f1ed19a4ed450984ae40a03ae4681fe13bea4133a32c9a8

SHA512
b26f52f93a3c8bbad9e5729df59748fbdc68e1528a862edb6554805e18d02efae789ddcbe400e79cb3b46ba066b5a3e4097813696ea04c8d410db61778203dad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ed877d82304d51cfc099e3af6689f9c6

SHA1
a443c2f67dd845ba260be403c4bd2a1f3cf9ad9a

SHA256
7f3e16ffb8bf1f77d74a17cdb03ddc8e6684df9263cb8b9d69f542214fb8d090

SHA512
817f8cc1c9386662bf1e2e0c8246154ed897bce38f957480dd768aacc9ad2769664f122166b38c8fb97e93e32ec4827ff06c172b372f0146d7a6b95ab6e96787

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
136ec6040b0f5d598c51247bedeff4e3

SHA1
ddb4d700c330986424594115d049f73872a5addb

SHA256
91a9097415e29bedde9d106a4edf99ac0cc106c5d98e5de2f17cce1e1014b84b

SHA512
61e5786cf7b974569ffd36df1a33a24d7e4e594b7bef4c6eba80615f31776351cb5aaa38bf607d6fb94dd9ca769533efb5773260e0a3a16ac8b653bc8ef2e863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3cacb525fd8e17ce409ead5b26261903

SHA1
3f89c812aa0562e037decb82ca7b8c82cb178721

SHA256
bc957f5538d586cd9c8eacd4d3406b1c3e10990364f787348867aee15f249edb

SHA512
f07fb290d88f9c113775c19e53f953fcd79e7663bd80b3af588e9017b37f0d3cd2e0d69a2e2b278e058a935eeb4ad3158f9a23df40c47ef2f1a5d987b593b7dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f84f91328e748870b7cf3b4c53a1d028

SHA1
93ae5f2104ec721b7b62a6542bf6a28042c00905

SHA256
ffbfcaa5fdb64f7ee66db49878b78c3570cdf1e60d50b208d448acda4ebb92f5

SHA512
96b773f12574b879d18344e83780c4738269db08a59d4a2326b781c4231a9311aa4b2e3d4518b1ab406e58f21eaf5a803dfcf646f43ff6ce95a8c1cc4ae5797b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4bc08c9efc229b818061dcb116ae6edf

SHA1
d8e0d95d00f4735ad3bd6a3f26f14af95da9cf96

SHA256
730223556f021dadec718a633b59f1a8164a4836d4a61f4c17e0fe0ea3b6de3c

SHA512
72d287c0d516697d8d58b217d12da39f14392271e96065bb88f1c5b5d81f07d01deeae4182bea5f7474836668b79077438d8abf8e1936252420136e2ef246901

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
26779f6547f113f656310b6b4be0500d

SHA1
4150b8e648e89efb2ac2a6d990384d6a9f38c7b5

SHA256
301f15dd617d174d2c025bfb58496af0a2d08a0cf2894bd35086a08b9b1dbfad

SHA512
315cdc940d1592d58fae627d58a3267a9c2a95fc3e7614da87d6d8f3089f0b3a6895dc658efeb656f98e8c2b38daa0baba7f73f30816dce49c24f3fe70c90597

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0c0b102f69cf09e90c877be50d632fd1

SHA1
cd2842acc9ab3c43cebed4b3b376b435fef254d2

SHA256
0db33656e1d78b5698d20af529d0182a2ee297d166ea84f133908d75d55de9ca

SHA512
7ab14e625dae018655ecea8dca16575dc48e3c6cb3ecc21d565ae11847d454bc247a9645867bbd78724a10ffd3cfce34102781501157dbf56fbc3be503bb7cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
09acfeabdd04b03b361041cb567636c7

SHA1
a47a69ddd9ea17c6f054a654f02f5fe14d60df23

SHA256
a23661407e4c62b325af43a4a6596300b33db50f6fcfaf28f1d32d5a135f0fb1

SHA512
991a8f5cf4aa9e927e92de1c9f6749d2efc38b685b6874e8566acc80bca0c133bc99661f3d4c7f6e98cd9b0f4d9358b03654d26078c504c231c62c1b8f99e530

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4a44ce77b9100fdec7343b32d182f23f

SHA1
1d056ae9dac20bf5af85ff2900ad1d337bfeec6b

SHA256
07a35f78f79d108abb3fe3ce95719dc1b8fd387b4d03242c7236d51755d198fa

SHA512
e7597de6667b2b97adc493583da799845413d536ae6ae11d986869d8e7a0c6d9735feb2a9bd1941beb176a0675714ffe73f01f2c5315d7d1f7b68f4ab9dfdb2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4b26019129e5adf3eb28ae6de705f6b9

SHA1
43780320d81199b36ac60c2d7e224810c8668322

SHA256
794c52adccefaf87e8ff9ab9fe6cd89767ae9b0e31a612560e993b3fb0ed5ffd

SHA512
a22e817ac92f70cdce11cb92ddd210210151b7b153c47f79cdaddf3944ffdb5e3509a747bf3944578b2fd109ca242270ee566bb3e28ead6d73e538a31bb88e84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8fbab53a538399434c9f318736f3c12a

SHA1
9e37a8a676916a668116738b113d242dbcd5f7ff

SHA256
05dc0475ea03aac7dcfcf86a3897aff5216e26f201e6a024b96349f0070fce8b

SHA512
17ef69a531aaf95be8a0ad990849b31df6c000b6791a054b57d6f0d115fe4006865fb0f9934203241aa5809c9a065c7192545950484134e20ee7e8c2fa214373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bba82bfdb5f26bbb42b0d03aa74b7d5d

SHA1
8557313bb31674b2bc1b035104a164d2a5491e5c

SHA256
55658b0d76d25fd2a9f3ec16464bfbd47d494819c220887380a214bebfb3e1b1

SHA512
3804ad58cefaa1c5ed74b2f4f4af3992f1db76c5d3f3c359dd3cc454a9ed222b428d061496dac8a3e6a0e92c5cbafa55105e22072fdf1aa297082fee38c7f96e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9f23736c006c4f4c508dfe3893506e06

SHA1
931c65b788b12e2d4456a474b64627393398ca76

SHA256
47c4770ce4d3c565ad1af1073161c46e6e3ec229329da4eaab045e5519854ce5

SHA512
8f548e983583968404eabe3070650c519d7a4324fa8bd857bb4ee0cfbb402b8a5e4063ec675df2955be376c4c6c3685f0d684a9404ceee0b9acc16c6b16a0efe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e97b8fd5c514ac3880cd13813dd39dd9

SHA1
a412f7dc9313d4c39a39118c86221015eabd31a3

SHA256
6fd9daa73ea0812c9b738b27e82e3ef7050e77008403d404abf7c3a761884b64

SHA512
c55e807bc76c80c2e20cc0ce8efe1da58ded0155438dc7934c81dc0158766056b3c6755184521b9d0ef3396d14022ec9ced5650ec74f2a5d7b237b92e26be31e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bc83b95585b29dbd7f29ba872432386d

SHA1
c69c8c651ceab3aec5e55d0944cd824c8f68ce75

SHA256
e9dfb447329f15b16fa067ce6fcd6e45345b417263c9018c8c6248f0cd76e45a

SHA512
d331830adffa98f7f80143f58392916de81d67c1088e482d6f50d72e2eda76eeda21e8590466a2e0eb2bd37af8208167f928ed247580c6120b211ae631694e6f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e49ee37b13b6b945170b4d99c60ae5ea

SHA1
272ee1a8b8f6e4d0f1b36c462343d46ecfb070f0

SHA256
530817e18879047b8dab48b92e8e16132a3fe49cbe38b27402ed17ff02fcce88

SHA512
86cd794daaa9da49b5d459ed227b1519c559bae8e1e6f9ee088eb522651bebbda3c934d7e8504a492329cfe2bd89c74076cbd570de1df0e56a2b5d0da1f6f35a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
6134ee9e2a953481ec1b34e1f1cfd091

SHA1
504022e8189c1f4e548a3a16e524e4fd867f4cc9

SHA256
85076670417083dd4695682439f0dcd6534c166c0938b61cc2aaf5e7e767256b

SHA512
7dcd8679d05d7f12219161b6cd360b5306ebcf12a3d1c371642d77ce94b4af0e626d02e2635c393166bd12052671732542843e6a7c3caf38d408ef82dec4670b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f5d8a1c66c024315ea8a1b2b7253cd1b

SHA1
890769db2d0f28a6c8ad66507e6e9497f830dc0d

SHA256
728d6381dd8c7c1ce4acc386954ab88a6715848b689830f18803d307a451f540

SHA512
944a02bc49387259e32236bef57c10e68568ecdfe8eaa30ea5fc7258dc14058f48f9e0662d4dc823dfceeef8aff95c719ba532fb7ba856435a0fb38ad65b0a92

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0860fe09987d5d1dd05f1f3fdd5b5db7

SHA1
e67a25c4189bc71d8b37e25f230db5c1d6aec52a

SHA256
d736c9f3ab3138cbfa7a49fad020e177410b4b66b3e1279a10d3b8f166b8030e

SHA512
1d0035d6e25660494cb164591526306c990ea87ef14970d6b2f7d24d2e9454344296ac85592fae386ccaa9367f4252561a29d60d2ad2eb6cde2f6a5a119fad9b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
109ca12fdd838675b7fee7c4bec72536

SHA1
8e2d3e0d1f2d9b282418e3a39170c60d3ace21c3

SHA256
bdfbc52ebe001801a21243b3dec20e73504be3184e6f8154e37d528459ae4c96

SHA512
e80d4d8f4fb74febd0d158c5e715058dfa5d79de4cf1962e692583dbc03ed1a805f6c8233850bd68b68528fe6df2207c93c57fa196fc10c7cd07d2481293dd24

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2a52ca7a1dbf1f7604b2d9c52eec817e

SHA1
37840a231e7f3cb8cc1f45076e10178043822f8d

SHA256
147ae481f5db6f6f8e8b055752d6b4c1f52530912db9a446915c0ff788d341d1

SHA512
320b2542d452909ec68d12e04e697e01ad4a1ba33f0a8b7c8d6d6e6fcaa45f19b7d63cb9c845fddae0595b657d2872feaf085dc7beb0ef5b5ce55efcf74c66c2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8d1e5064c43f2e706423678d05b7d2eb

SHA1
f156b587500814145bc405593c23f82205b8c10e

SHA256
a43213c9c0b9d911b6d1bf9817cbcedc55cd99fe5c9c580929e7064d4a1fb3dd

SHA512
19138135374d9386927bd09ca979a7eabefd3042605abfd10e963a386f708c90ce9ee038ee283a995d90ba80a2d1c10078465f9e2db12d6167feaabab036acc7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f55179f9b052e01b03da9cd5a86229d1

SHA1
c1d0ce9b6c393cf5075476d8dc33d2344bc57d6d

SHA256
98103efcd3dfa7c0365d8b93f360f89518e6b74694a407a2fb8e1034f99beb9a

SHA512
9b637bc444b6edf5c1380b5cf060bfc41d096d88865e0bff4826735aa6152cbd2d5e8443fedf1e9587aedb46ee634a958001a3b966cdd30dffc06cc979f40abf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
16bad9f75a8e3e2f8123796bf1a71cdc

SHA1
47d7352682845339dcedd2f7a9927b10a27be4bb

SHA256
698604cf7ac32e13a75c9ab5e08b2843c3d4064b7f75a73e8ef5815f31fff0e5

SHA512
4e1fc81441fa7cbeb070dac3b8148f0c57b946f024ed4b334756f8ad2167e7d6548d678fc483b09ddafa2955607f4d07fb8c5cd38fa9509f442586c78c955491

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9c016fd6612495983aa0dadc235ac4a4

SHA1
e18146d53a1d31ec53a1e2940226561e44c4738e

SHA256
dfa96733e0cddaafdb9a0d985536c574dbe6e241e6771be9491d5d1a99a897dd

SHA512
f1562af89e4f64d2809a8188194d564d9ee54154446ea13c9fa0b05e933bed38846ec6428845ae8820a50b23c79cfc05ac5f072a8cf81475f04af14946c8c714

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e2ce9fb417948f0deca39b06df49eef9

SHA1
59f25a9e744d44a4261849de6e292595ca322010

SHA256
0906de76790fe532f9ff8a08333bb03f4ee914286d6ca7ad5fb1bb1db7039b8d

SHA512
c0683fb9200b451bd3ee6e778121573537e5dc69e0e8ca63a9772dddc638916659316cf688776a3dd6400df1069a7e46f0812daef2354f5b5d0559dc39404b14

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6c62e959b641b0cad6abfe8eac702a3

SHA1
c50ae2017619ee8ada7896328bff82f1df604a96

SHA256
c82031c82cf27041493447ac3d9318461e17ad30d76f29b05eed768b3d67773f

SHA512
a98614f77e5c021c4e127dbdd216ac76a9c280f31bba17e5b8618488c0fd216ff3d7e288955a36c5a4ea5339f06c064aabba54e55721c6cd2c1c3325771da56b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
376496eb09bcb040ac77c12d86ebf987

SHA1
c461ab9c9357c7f9cd89df311c0c021065a6e04d

SHA256
72466edc03cfb212a590b692a79f4f79d2d4554685596ac6f4fea9867dd4028a

SHA512
d3cb61e32b67fd7029777bd6c2f603f28dd2ad2b6ca41a791627c9ced88abc1e5a8804bca58896b7bf835a13a4a334ed7d444b7ed1931c43120a7a45435c35a8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8bf1b58faa14185f9814bc8955626921

SHA1
6d7c1dee22f022b53f6711607ab5de0859af420f

SHA256
d25a9907d976ca02a1cacdd81cddfc96d3d2acc381cacad1277744ff0b3d8bc2

SHA512
dc42cdc516df9081398c9d977511eff412a9aadc3383de43760111f2b6c6217345b6650a9a871e86ab30f77b7bc56ef488f84337b48a58891afa6823290f5c1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e613d47ab6bd918ebb11c9946be6d4d6

SHA1
7bdabd7ddfe7cce42ec4b3d3eb3721b3b9d61a4d

SHA256
7627c19005efbef8d0b5dd801b32e50334a18a0477b2d79baee7cbc0f29f2541

SHA512
b004e2689e285445c8d06edaa5629996ce3dbaff59cbc3e0e44fa7d89af8613ea298ee13a7ecf58510769a1533be3284699710fa1cb4e74b23edcfc543d8f98a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
08ca04ce73c2f23ff92dcbacd1ff1496

SHA1
f61a4b924f5361353a262635a3b290609319737a

SHA256
81b2bcb03f4253bce0485bf1de7f38657804ba319869e31b5e81555cccec0e26

SHA512
67b582e320987c7801482f92c3021a96d77cf5572bd697ab7d25f49ea49e2df6eb29d622559ec91accaecd022a630bdecd6d13c67363147bed067025dc3e9c72

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
97b18d5a2fc31fc9a19d29f88fe36964

SHA1
b9bc87e38c0c33849987054875515db3fd4306dd

SHA256
503a37d1543f82a69f1d34780118c6b84c96e6a84d520535cb685096b52008f2

SHA512
3d15777fc6f9eea230ce25bafe44293c5478e0ce4042cae3652892d526980032a47ead4f32bebed636c5b1efc2b2f48e75ffa039ae4c82424f8d2d7d3cf195c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
73fc7bf146c10ace935df0558f463329

SHA1
b33f7ba8454140a82bf849f47890373885f68ae9

SHA256
cda2934eac62be42580e77b8e95acdacd5583bb3f5eec3195f9990d4f8b086da

SHA512
92c266cbe1ed2d623d65485702e04edc672fd6dbf79d33bdc7e2be1622b416003b98f134dd7aec3685755a9f1c881c3017079e52e72a33681b421c315ddeca0f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
84c9551fed1b0022f993d2c8b3c55a45

SHA1
be022243d20a9ed6314bc227d8817a138583bdd1

SHA256
7d6f24e3e333d83e6ea49e20a07db58337f40025dcaa4d09890baaf2cc40e79b

SHA512
ac70a211d2aaf8f67f4c2f28f085cb1dad5a026e317b54e7c4a3d0f26d8fa1448319c40853a26b8e2253651fabab56390d0c09bfdf46d8e77cc5ab7d2ff4e7f2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b5d8604f847d571ae0a24d9a5148f48

SHA1
36549d7c50136bc2cf4d72a5cf4dd56608911828

SHA256
ae06f990c7401b7cfe6f4491ea1946f5dfdf4409be05a639bfe5d94eaee65059

SHA512
b2ffb5b98f87b58b3545444fa1a5ab9f8a8b471329900ddfbc8eaf264fbef22caa92edf4e27b19570729f963a99e16cee2d2e8cd5a25f1bba7e99caf5cca84e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3b1317deedaaeec6636bffc33becf78b

SHA1
36a4098969a76ea312097d603fa3410745363f11

SHA256
a3df4f3f65f1540fd0d583e65dc9eb4cb22c075eba73f7bf67a6bf7d908d89b6

SHA512
591d27bc63da972954b8ee74c31938d48ca7a83a3339186c0fcaf143f72b8909eb41d397c1ccd23eff84eddd9b45f7ccca6cf555ce34f51da1c9a140ad676a18

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
bed3efc4144297e434056e25b16ea33c

SHA1
25c40644b7790f90772a6490e3347e05713ad115

SHA256
2b0e940bb05b60cfff4b15b1ecb2912508e59744720e1d857a9c1394c17b4b90

SHA512
4f39a6318145770c4d8d72c88b2ae078326a52e2aeeb80a97a8ea7906673654e4ce92fbfbf30252caf7f85d65f6b7ca4d53d6d84574add731dc12300c2a452ca

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
607ccefc6d1ec3d9b9c633f878ee94c4

SHA1
b98a033b0b722b5dd3ce7747923519cbc2180937

SHA256
9bfb5ffe51caf52f9201c96b5251ef78d24db6b02c3b18423dfbbaae66043773

SHA512
6b3ed311af27b260882f7cafeaaa2cf08700c8db803433c6a6701474f3422bd020b626972fe43414886d18326793349a612e3679783369bdc3f85b6be2258a87

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
7e7ec331e42a61d92cc67760fd51f54a

SHA1
a8106a52bf60c5086d8886d8d0865be36054cc51

SHA256
1b9f87a8172162779d068a3c435d985a62221b2663283d37a906fc6c3a7319a2

SHA512
055878cb192325c8d2ece6931943b823b2712bcef8f103142ae6ef93cf1aba773d51ef039fdc5771683ba6e0470927caf73cef7b2a894d80762943bbb18c7a6b

Download Submit
memory/260-81-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/260-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/260-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/260-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/780-134-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/780-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/780-51-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/780-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1088-107-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1088-101-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1088-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1088-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1224-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1224-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1328-94-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1328-86-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1328-85-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1328-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1700-55-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1700-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1700-65-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1700-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1700-54-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1944-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1944-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2140-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2140-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2240-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2240-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2268-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2284-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2284-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2284-32-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2284-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2320-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2320-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2320-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2320-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2548-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2548-6-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/2548-1-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/2548-7-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/2548-73-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2564-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2564-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3000-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3000-352-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3652-348-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3652-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3840-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3840-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3880-372-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4264-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4264-374-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4532-227-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4540-369-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4588-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4656-331-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download