dbaefe643980afe927628cd498ab416fbc18acb86835f5a86bf60d2c683f9961

Analysis

max time kernel
105s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Size

712KB
MD5

708bea89d8be8bed68634903c1a0fd2a
SHA1

b862ec5c984680f78ece6e6519decb0a841fa4ae
SHA256

dbaefe643980afe927628cd498ab416fbc18acb86835f5a86bf60d2c683f9961
SHA512

1e4124b00b03b66524fc9bbabbe6b4967ff9a603292430cb9f5ed956b4a681a816d314e2645edbae91af59e990e1ee8666c3bd690cb71a2a9a22c344a9b2ef18
SSDEEP

12288:rtOw6Ba1INk7k14+gYZ5UaiAPqF0JZI4GPnmNbIQ/qDJSgCmP8i/:Z6BDk7SgdEPi7PnmNbJ/UUgCY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3384	alg.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
3900	fxssvc.exe
3608	elevation_service.exe
1884	elevation_service.exe
2356	maintenanceservice.exe
4732	msdtc.exe
1664	OSE.EXE
3484	PerceptionSimulationService.exe
4352	perfhost.exe
2192	locator.exe
4876	SensorDataService.exe
1828	snmptrap.exe
4388	spectrum.exe
5008	ssh-agent.exe
4520	TieringEngineService.exe
1584	AgentService.exe
4536	vds.exe
1996	vssvc.exe
3524	wbengine.exe
3308	WmiApSrv.exe
3444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c2222beb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c31070a8fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5cd12058fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005852c5088fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fecf040a8fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec231e0b8fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000832acc038fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d17ff6098fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Token: SeAuditPrivilege	3900	fxssvc.exe
Token: SeRestorePrivilege	4520	TieringEngineService.exe
Token: SeManageVolumePrivilege	4520	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1584	AgentService.exe
Token: SeBackupPrivilege	1996	vssvc.exe
Token: SeRestorePrivilege	1996	vssvc.exe
Token: SeAuditPrivilege	1996	vssvc.exe
Token: SeBackupPrivilege	3524	wbengine.exe
Token: SeRestorePrivilege	3524	wbengine.exe
Token: SeSecurityPrivilege	3524	wbengine.exe
Token: 33	3444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3444	SearchIndexer.exe
Token: SeDebugPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2724	3444	SearchIndexer.exe	115
PID 3444 wrote to memory of 2724	3444	SearchIndexer.exe	115
PID 3444 wrote to memory of 4736	3444	SearchIndexer.exe	116
PID 3444 wrote to memory of 4736	3444	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_708bea89d8be8bed68634903c1a0fd2a_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4388

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:692

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
60f33ea90c4db98aec6eb0743c37b0ec

SHA1
6568d1e898821fcc5ca23efbc5a3e61d395ac414

SHA256
60d71adcb1d32b05db4b538d134549647346b595a1601cdb1525b85958429dd7

SHA512
b106f4d7e34711cd45efdc6c4d3a5e2b1d1f74b6a7dcfa18656abaf2fa36fea976829116b0506f89ae3cdfec71f1703c8899c74cd06f3f0ac3a561bfadb30f1e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7c2724a7305bf899e5a4d348359d9300

SHA1
bda045643afebfe8a2c73d4a5ffc888342052530

SHA256
03d1ec97520e8723daec87a7ad8e07f0542af07b09a103405e4ae5bb45e11702

SHA512
9b9c1bd1c9bd57782ef1f03277b23f49bbd7c3246a735efea40a242278aea93592ad6dbd380e61bcd5dff5a5e104e1ebcb7458a955042ec8f7c055f1e7eac936

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
448KB

MD5
d789630a9640bc4c82f71ff77285d9d8

SHA1
1537395e02e268c246c681170ec47844affc3a41

SHA256
9ca4d0b1d398e2f8416b631138aceb82b4426983aa37c5684bc9d535decad364

SHA512
346e9aae821c1d8b858f1a6bf535724a48194c22747fce5dd4476db504fed26a5e85396c1e2f9aba300e5aea2ce92ddd5403feac2defbbabf76dc99c533d0934

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
448KB

MD5
972d4c75952aff8d352a8c1affc8c222

SHA1
725e3002f9bf4540dc720a0a86e07bd26424d498

SHA256
31bfef6a1dec5deef14e3d0f401224eb90f4452b4db959f4c553daedeccafabd

SHA512
551b906da679efa02cf3ad9254b9820e6382fcc1a0c01ebd40f6461baa7bf2976fa9650e822bfce33e22f9ad3a467f3f7aae2520a4991e94dd68773a267f95ae

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2f5c0fb795e223d816252a45705b8da5

SHA1
adc139fc02121d027451e5f6646aed2874333da6

SHA256
8a3c5810471527e0dce1b3ea9c7dfa03c49bd3ca56287e81b3abecdefbc68654

SHA512
f1d6186d59a62b9506b3040c11710dae3fa20f215ce74bf312802fbedd20f2ecc93ff13498065fc510a319c2693e48eb78eadb2905dc32cd17190da5db08d3ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bfd36e4a8adf9a650a169128b2c7733a

SHA1
ad1b8708a7f718af67977361d1617674a73052ee

SHA256
4c43ceb9c37b0ceca11d601aa4b042e7c5fe2f9c404ca94d5b2d1f12c39eb585

SHA512
3f9c6cf566ba1ee6a774f175b3685acc9a96eccb064875c7dd400bdcb11f3e365b8c65c0f6606e6bd6f99be785be09e1aa5fa7d85873af7af991ffdc6043d3d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
87f7f3c08fadf3e022b6434519338b5c

SHA1
d5f9fa81aced72cd8914ed0ae82870e1e017d87c

SHA256
0982911506426a09dd71837af1603f4c438b7c118097e9130696e1b680a123f5

SHA512
7be9bb240d2b05079c327526556ff15cc2586c4f0b63dd098785053882a4bf435c17a6023da1bf012bbffa6393f2112eb90ff4e21f520bdcf2e247dd7a74905b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.2MB

MD5
b2cc44f299a9085f8b328ab374085528

SHA1
9463ef9ab76995bb3f8c136c2275c29ea0059b75

SHA256
db513cb2bc811072c500b5bd485bc7c02a27dc12e6bb4f65645afc770647b2d8

SHA512
65403960060e76d489ef844161874b88037ded27fe2b02dcccf8ba7172e2609f15f6b9956d445fbaebc84ab2212125f2a1ad0283ad300e4faf745fa6acb759f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fde654c046c75522a1be5d93774ae5c5

SHA1
443ce598d7ce4bd22a62019507d69dc6738f7901

SHA256
0a3d5a512778bea6fa31ddb9bf70f9a50b848bb982982d895cd6df0510e909ee

SHA512
59c2bb6bbe1d6a299e051f8dbcde7894f700678cd8f6c141fc3b3c0e4b4793da221c633bf2ebbe1c7cacfeeb4f81975f8335087e001559576aa8ff878d6f3a3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
14.9MB

MD5
26b626d12e78b645265e7d59618bc829

SHA1
199ebb47fea2749502aaac620b6882f09684586f

SHA256
ff6119ac9586ae0fd4f58c028e637810aadd84d7a1daa851701a74fb397dfeaa

SHA512
9fba942a4181462008b43ac1df17420f95b846e01f2bd7c9721d15736252a029dbd90dfcd1952ba38e07c1310dc9286424b3842b54cf9bd6ece70996e9574c9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
e3fb15d308662a3ac20b00943cba24d4

SHA1
4561257dcefd879cfe20e5eea18f5858faa9fd81

SHA256
98d5970c20b6b440436e3dcf7ff29515c1afc927461d25f90a00f2ac4157e69b

SHA512
50471949e503a9dc85a17cd2dee81df3d4b5f9301d3def2d1255665f9369aa62fc30473473fdb29a63bfcfa1114af05206defb0dc062472b56119eaf26d76c8c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
759e2699c1cb694fbe50dc1bcb42d789

SHA1
f1fb17a456f400b7248b8cf637773c2e13f0a63e

SHA256
efac3a2490a5352db901c45c0c2907820ccff328141624c1bb62da3eac38f1b0

SHA512
03966cd59d4cc001ee58adc576fb1660d798deedc6be8c4feac3355d8107b8a84948893a3c55ef819a2e52917b50ebccda287fd3c307d66b786256b5f7b71cb7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4ccd366c758ced6e6fcb5f596e7d80d6

SHA1
c09dc17ea5ba2f068f94dee5656682647060e810

SHA256
e3365047455a97776c96d4674e7d2ab866a405336a6885f482a86ebe41e5f67a

SHA512
39d2f3ac154c2741c33656073f7890ee98e5963488a5681a77b7d71931ef16debcfce5453f55ad7769638a098e46198f9e21fca87015d9e083b06a17cbd714e6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c454b5e4cf6f9dcfa6cadb8a865e35ca

SHA1
7a72dc60856a6f55552a7647ca0de8b0eac2fff5

SHA256
c408145466cd4d38b8ad1b16497c173b4f8b63d1bfe2ef445dfcaf2013fcebf5

SHA512
49060a624f7bf5c9aea8bc7364bc11c6c90d0a784cad4b64fb0277b6823b9cf401f937921b3d50921b967b7bcd93e75711f2976c8e3efbd32d27572f51cb0fe9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
60ee2ed3b4245ef8cdf1b31ef2a9ee58

SHA1
567db4610564f0fc6e27394e03e0febba2bbcb10

SHA256
0b333c0079e5852c10769c23df47140831c4068eee8d532d9001209256db1f4a

SHA512
a09838fd84da7112d773cf08568b9f5c1aef06d2776e80da1c22599b66c09e26cd564e567511be65e050511b404960beb18513f554ff640ba0a95420c5967799

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.7MB

MD5
ba169e7a2a206ce0c50caa1d7b205879

SHA1
1376f282d640f438c6aec559786c8f4924a7ff75

SHA256
8c5de103977835350c4908bd3c3d0e3defdda9f5c1c6eb1bf708d0fdc4a26d3d

SHA512
21c02a211d9e09b08dd17135dd2e5e813a503f6fe0dd2d0fba4926dacfbe887204b7d5c3059a68ff1b8f5bea745bc7dcd21b4f1f3fb54d83c4cf8039fa74b5de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
9eefbde299713ba83d996405154d97d0

SHA1
5f6c81f8c6316ecff86b6655d871cd7c35f3d6ac

SHA256
57f6655ca2146013f7d6d4014adbd9cb5e09538c350ba9dbc40cb5b160f3be39

SHA512
09336fa00ad94941e09d971de801234f9bc991899cdb8f978f0cc2d88bc0a36a5902cfa88e3a5d538d278d378072b856e83cb00a8e6f100555007ed9326fd8cb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5a7cda5259f6e53e6c156a92ce0cba08

SHA1
05dcbb4c0ff27a749df0c6ea609b5651dfb7eb6c

SHA256
dea391be12779c6a13fdd7b78b96778972e11a2496bc337b10c254e92dc98195

SHA512
f1b41fec269651da31254754c49675ecb953328d575ff171ca4ac1434304d99add9179eddea6f267d93439008b0a052ccc015fee4971c1e6e6bf08496da11343

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d72d9fc43c3d9e7cc34b67cd33595296

SHA1
80ddb277acdf25c162219b52855b6e21e4a8f29b

SHA256
78461dc5f086649bdb1c8e2bd2f04d42ee422fe6304a36cee14636d7b4651451

SHA512
d410e289041770fde74f94e8a6179a96dd9c0fc8dee7e96e777bb115eff9d0929724adad400102515ebe19cfe24853b4adc767bcad4703ed3853d01564eca4e3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1223ff7c74f2a0b7b39e5b1ad6e02d9c

SHA1
603432c202c0ed7a24ee89b2da55a547364d00eb

SHA256
4800830377c9e0a71d997935665f826283faf09d4c6822e333164e62e1715b0b

SHA512
27616487501e68d3cd66984414b8848f83c74dc538de867de995243bb801e799943d1fdc0ce2e11d8c36f493f09abdb681f43f8382acbe498c28ee05969310d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1425bc823191c5922372104d46c59be3

SHA1
bfa0d768b0ea8c33c859b579563e60ea95489f40

SHA256
f14be6f1adfae9bca0e14eee2b595bd7322947a81bb180dc5e31c6a33eb4cdc4

SHA512
c53ecd10daefda76886e36f956e7eec1a80bc3340e796861e1c7a8bfbb6333e2f367571b147a83eb98680c7ac9538644c4a18a9b3e17bdc1b309bbaf5bbdeaf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0efe81e9fc78cbdb048897256c4ff228

SHA1
5ed88fe66d6722dcf4207736e3b1f141877f0b6d

SHA256
bfbd9e4063f19041257d2fb8be14fa72892fdd938dc0f59f630aea5a6f4b2f06

SHA512
030defc8c01f03c3d46c073cadf82a80de7c06305e2fc9d18c2bc0e568ff678aeaecea15975f67d084cced98f7f35736ee89066816abe292188006abb22802b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
bed5ec68035781511badfd9c90b7c11f

SHA1
ee8738ab7f77be2593db48dfb1dba1cef1fca554

SHA256
b2ce885962c87adeedd953ba574da7e2e6634bf9b7957797723413e6f8ded9a8

SHA512
9a3af2962e2d35e1902c011b9a0147da4e07363a16d5a9db4be0f89d07b294a0fd89ebf252dae9734aaf9314173b9cb6116562ea9aa06f4dcab568c0686df100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
192KB

MD5
018c8f25f70668dcb26b85955ae11117

SHA1
dc0741297b6960858894522e95c86c881dd93da0

SHA256
8f8849e43d59be0082c6b46b8a99485f55b5fbcac02e67a9ccc3766a7d30b457

SHA512
8d232edd447feba933a8393ab0532257ce7e71ee500c3242dcbdaf40066338b9424751729e896bc44cdfdbc68d7c748731a44d3529003d5a813590659272c157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1421d34bf4d02c22c4b5aa802dd1fcf9

SHA1
f95eec52264d48d08a7a5aa8072ae56d6f895639

SHA256
8eb966d519e0cf3e05ebc5e845a3b4ca2cb0035b51ec289e2c1b83420b42f882

SHA512
ca681943ef10f530e66d7534322bdf89bb02b41bd2460edebbf2392f05b77c3e8fe660078deb61c9e210734e2bf6ccd3cbdf3fbab6a7432d6541d6e3ee86d4a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ae7f2ed567d2a6b9f8f260ed4a6188dc

SHA1
7b881cabfe61b3710f1b919224f18854e6f0d471

SHA256
1015ab7d5a37eb57f4610e6de36a8413e3573d327e8b9d5e84024037fefa623a

SHA512
aed41ac0dc9088ea475846f9ca2107bb9be52f5b86d5660ace185ab462a1d3116e92d2390c810d2ea49ef0d61173d5ff521e96155c2162b8f48ce0b84e0f1caa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6565d0b20f78aceab09c1c0d504e8101

SHA1
696827b3abbd6f081bb192f33ad28bd026315982

SHA256
e5a48e420e3d92906cfc361070142b63c5840f03d2ad671edfce2d3722ae70b4

SHA512
8b34521312a8b1882e85aa0a8a86eca6b901676d237086db726af1c99724d98873d531afc64b550e1f5848487710b03139469e5c8673654769e14961f3b4acea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
91233244774f2483ad1ff54a80e255ef

SHA1
4234bfbe301c4cf20d575317f144f22e6ae6b473

SHA256
1906b44424f0c007ab514ff6b6a302cfc285e207f473f3ad358fb334788f77e0

SHA512
a4592f14f191eb14ef0f628e699058b1151cc50d08aafbe2c03b9716ccbd6caab0b24d7a2fccb7257b5fe20cace9b1e2eeab213b05b29365505e62fc12aab04a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e70c07475c860cd36ebf4e33402466d2

SHA1
ca868c4681ee31243ba1478c5d4bf9c52898356c

SHA256
99809209ac836cbd9744fce25d3a85b3cff82a4f9aba65c1f10daf1908b6c460

SHA512
e97db64e8137138be947d4c758cee45e3d6d1fa74978f5bb5ecf32ea5ac8bf4907b9c187c9a7d155b055a1c35ed36277f731c47cd17602a9243fea9c4b52be52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6c8ff97597175370e9cf46ea9066ddb7

SHA1
fdc0f89723c1399315f7a723a0a76c3693602e5e

SHA256
e2ef30dada1b6c567fdab6744d6239c739f3d54b5e2ed24bf9b40d762585c3ce

SHA512
987bf5c07c7caf5a2062ecc700f3b0cd9b5820fb813effe164a9581ec9eaa6904a42163c28674e3f97bfb2bc6d6c4ac74ca27ad3e05c622ca7083f517940b989

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
dcaa5c1e2c7beb1575fccc73cd17749c

SHA1
9b31f3601b45bccf4d4cc79113ff3218fe52b434

SHA256
a4d97d7719c527332c1b7a587e946f704aa896360c9a7a8acaaf6bf91a781cd5

SHA512
061ef040b51aca5a48d25ad04a5c40fea32fafe73a66354003ccb6180d3c7e353bd57aafac91a3933285325ef2729263104ae77c99593ce6607fc8538dc202c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fe328d2b2ffd0eda053d6aa1d0c2e550

SHA1
fd03a3aa06fdbad7847c858ea670672ddeb60329

SHA256
6298fc0477e5265888184529f29dff131257a82b120d97d363ac9105160b36ac

SHA512
a6b20822478b63eeb918e8d3a505ba0565e00afd696c383f6222a73a8dc0059389fe836c77a7fcdcf4e254a1fd0fd991e7cd975c19d4657c5f8c7089a3019550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2344129d65ebc77d4578e51e8418cbed

SHA1
be1cf1d2184f68c438a408dffcfdeb7d139afff6

SHA256
eae780139a34b8bf81f969aacd107aeb7d28adb170207e5653ce40e16e26b831

SHA512
34496dd8663242e15c40bdd2ceaab54561c99db015e389942f442da17932a423aed04012186e72456f010eef2492d119e96cf9709cf140be34b0ef7ded09d33c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b7324848817b034ab8d8a4713d4d1049

SHA1
b81326c8a0e9a58062a8319f8e7dfffe4bc5fc12

SHA256
8ffde3fbe38837a6cb911b23e8595890b246906a34f80067797bf3b8f5971f8e

SHA512
3b69ec0f4a71b1940314ea51e942c750c1cbdb05806eca95e7185e16e16ac8382f0ffb922bf7d5596727c605dec03dd8a2d92b919ae34c95e7b2dec16d3ee3ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
37da397789efdc334150e8e81b3e3f58

SHA1
ed1d6a20b593bdf6c74219b278233084d43e97fb

SHA256
472e2bb96f5f713f9ca40f9d65fbe13e4bcbc1cfe0b6d9cf04df7699ed43f85a

SHA512
b382a0904645da36a58410294ab399e882fb15874331d0f1f58d48f1d7c3664ccd61223716d66107e2d3ebd3f52cededb0e95c5014222c4290f2bab546524b68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
02d457935192c960bef20dbbe385f9e9

SHA1
057e2649062358fa66e8a1c937efcce43ced6fe5

SHA256
7f588075a66aa2208023a0f38e635a2bf6c703157e0ab648acab3e9143ce6951

SHA512
f1aa344286b23abec8efebc6c47dc5cecb88bf0f631ccd5ff7075021fed0d7cde1e5a6a737ee08bd0947287c01c09d8277904b7fecdda99a1ab0f06dd1cc34f0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
ece593be5ace6fa764f4247bfd4f8b1c

SHA1
05af3521b2928fe625549fbc43b9e3ce7f4211b6

SHA256
7badcf4076c0cbcd4ab00c7724f72784685bc52536c12867af6ee52b119c511f

SHA512
1539bb812ee0cc653ec76aec1afcab47da047952ff8a988863ea8a92a12c0ec2b4e00b164126b2f536aa375cda69e78f5422afa8be233fac8d336e5addecada5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
88c12c033a4ebbc42b14d63567b0a678

SHA1
c50b686364ee4dac5f84c3ecfaaf6e0050f87d7c

SHA256
51ceb019759fc93db78f7444fcce267ed31ab5ac568f154c63b9f07a7a234de9

SHA512
443cb44b78b2f298fe0701bbace8925a474d6872d5bb7cdba2d810a04ee263ef8f11aefb30868d1eac06436f4b1530127f35bb2adea4c23608ebc8d7fdb39592

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a80f3caccd9c5a4bc20a1468b55e0144

SHA1
6dfdcc178cf563077bd35073088c98feb25cc887

SHA256
6e0150085c36aed2c90940b657f93762a2ed415f83980c0bde48202a3c521a0d

SHA512
2142e9619b4a495346d67667dfc32ff1de7dbe3f4d8ba0925b7fe4f67e5d28c227317b8e30144ce54e7e71699a53c2ce543202d837aa8289502add0e9a31f7ff

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d2b675a7bcfb448e77a904840ba5efd5

SHA1
ed0aa7cd4bcec900cfbe2033300bbf34d945f0fd

SHA256
8aa60203defa8e5659200a7b98235da83b6e9bfdcdf141b2ba67e241b4dadba5

SHA512
830c7a474a7ccfb97de212af1a2c4b47b2bf56ae8a32e3c3a3f240bcf54842e77d765ec2b490d2ae625645daa830f1a62746157e8437febf0ecf9c90b4e4e8f4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
45e93e8298dbdb4110e4a61cc6b36358

SHA1
28974027b2178c92d01e7c0579e139b1974cb51e

SHA256
1b113d0633e74d962ac819aa1cc82b6287aaeef6f94c1878839563940e5a1790

SHA512
74e9d2b4652d0f14600d07bb1ed9f2beef6d218eaaf40d9408aa0f773a4987adb66a778efefac7f4f57b4b41a17c4d93df162634ab0ceb175e4e821af797fd0b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ce60a8932a2cc46220393b671aa7200d

SHA1
09b6fbfd46942087dd07b525c99d63c07ce7bb02

SHA256
ea6100c579c0ac9da79ced8daf18cbd45071d4e48bc3e4525e082c2059e09c2d

SHA512
bfcd4314709fdfb7e66449edd061b3d618a5d23590ce97b745cb19276122b8a46dab5cae1b8e0b1911b11fe4a1f6ba4411e9911d9eacde35b198e36d6e740859

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
36b93ffa4209bf7fa7c3d25a4573f4f2

SHA1
8b9a2284e8f01fa74d6008356537d8f0082d96ed

SHA256
6112666f294b1d7486c7c4e52ad30ad7c8e772922ad5ea641c47f63f32315240

SHA512
4a3d5bf8416bb4f1d576c1c0b01f72784ac64b53599e3457e066094d2e1038e2375bdefeb7d7d502f826486faf668e19d10376b9e762e0ef6b9aaeee1d43b314

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4e9f03485e91c0236e9aedd85adb6a06

SHA1
6f1db7cf848e7417466595eebf68096d9e577fbc

SHA256
ab2d6a4d9a7a112eb48a2cd74d9c3f4593b555399bc08ce7c7e3f5013f69d0b8

SHA512
ee5650ba2311db29ddaacb432c268310c8c192f57beca4eacdc96f323a683d93ca2cbe7e23863574028a991425983a4452326176e9a236c1fc2748170cedfd70

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48cd0cf78c31cb7b01067b74a1e149c2

SHA1
3f2842a3805ba0cda0f68c2941b411700e6dd646

SHA256
c43730c0663f15b0fa8a11bb23b41a1a6870fcee07f07bee5050218ac913b0f8

SHA512
9ab414ea08bf596d936fb0eecfbe8576ecd05072da28e28daabe79cfed23833d1e1b7509dffd3877784c8feeb4bb0698ab7ffc36103cffbd097498d7a4fdd5ab

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d70b7c1a08b1d7e881aad47410fe1d8

SHA1
a86a1cea625d3d0c354d8139456b238c5aadcb4b

SHA256
bf9c7d30bed5e2b4d288f0a7f977b50a49f04c893f15d1dfb24d4cbed326b381

SHA512
3deda14719e14d6a47a2456b9f3b1b2bdcc13e095c6210a9523b018fbf395bfe80be7e210da1d8f701c10ac9876316e56af806f473c323f87dbde58835543c24

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
803fd2df41becb4c8fd8bcc73c9d7029

SHA1
ed50b71d1cf8156842023fdfd9a2dfa6e3a48da4

SHA256
d7abcebc3f2632fd59276fdf541747e1566c2660ea81452012af438993c9b2d8

SHA512
63db77288f4d7b723653d9ed14ad52bfea8d0ed605c2a13e54c5dfc56087087ff13e0812c6e2c70037db0e9223e7cadbb62391c445edbce0b296a9a2f490f84e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
238b2003d5e6bf341ddbf89609893195

SHA1
9eaa745b1e13f4edbbf659f0b2ba714e9100cc32

SHA256
a404b1fefa86fd02e893fa048921327d78d1040c4460f4a10e527f627847f1f2

SHA512
bf6cfd8dffdb19218168ccbd3679858a8a32042b38ed1686735c457d47b35ca934de1fa074d5c3608bc2487739d9d598fdac83f919aec2488da0a6e1c80cb10c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d12f3de69b91bc175b1cb9057cef693e

SHA1
2fe0f17d60dae753e8fb4b8a105eac3c91203fc2

SHA256
14da366f0f7a74c3c4699423569bc66b2aad0c560abf6b6d11942df0aa838cc8

SHA512
d3397474e14af59248e30445b8fe68b100896408dbf9bdb3bfacbd76dd7996589146b9696c39e5dc5db90a937a6ca0903f7f01dbe7089fc9b61d21757f52b446

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
61502b61c6689d1c583e5ebcc374b1c9

SHA1
d79c46563b79064d4e431c20d939340fe01ab45b

SHA256
7d67746e7ee552afb7bb5c31aa26950643e8f2afe44f14707ac10722d31a778a

SHA512
ec36af3cc8df840299d0934d01bc9586065c467a3719df7a796c160984ce7c35452ba128b42b5089b7c0d6d3c6a450dc0d42b210e73b6ea29637f0559db3d5cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
75fb071cc75826441b61f50987d50c34

SHA1
e4b3f556627f4e829cd4c990cba5f0e542b28e89

SHA256
c1ec90bff9e9fd55b1c832045c4bce40e7a2f2937239ca4cc8da2e9af7baa5fe

SHA512
10c4da4d1dfa0ce16a9913e34c380c49653e6769d20092d8d9b3565512718a59e0df66e8d6604ebae5d6fc1eb52254fcdd365422ba1a93bb0d97121dd3194e1b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
70aa3cae11f0af8e7d074a1a0e6a8842

SHA1
b61442e30f1189fec1660f15d671f82c71601850

SHA256
610abfb35d7dd034e7de88eb79d5e97f420b8b34822fb837a16fe0a448bde412

SHA512
43aec38eed111fa6bfd1dea913cd766e4a3334dc63032b955868683745d88c3a8d61ebd267c66d7ab0f18e5573553c77d7133749e6c2b2722b117197b3de9bcd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1e35aca0616cd08600d32196ec33e243

SHA1
2410c23de420694d6151ee6c7093869401adeee3

SHA256
b75722fe3367881288f6177aa99aa0c934d26a9c8e66676aa26f525886171675

SHA512
3db8b9099202eb1c16c9b70ae83860e4b140e91a36e5ed166d7f9e92797ef1adeda4d998476ba6b102a5d96aa9a38e8b0f3325af0123f65cfdb6df304909401b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5b7527a43692229fa93fea898d864407

SHA1
4d819edfa300553a11a4c67a487eb52198550f51

SHA256
9e2230614467e3cbc46a8c1839bfbb733750ac0f3a475935044b73a4bfe8a8f1

SHA512
570d3afc95bf1719c787840bcb5f1db93913b376776ef135e64526aa0b5a3c60bb6d105efe93dfd8b523bc06f359f19d9a271631aba638abab55fac2addcf7d2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
51a1e0b6b10afa986fd3e4483358503e

SHA1
7fb453326714dad2152d649f8256c5aa30bbe6b2

SHA256
495f942cefb80cd39428d251b14b581fa76419b80337db76e3106c5482ef4155

SHA512
bfb9686ccf67f23bbe7a67100fa27ab86f9808fb0f373f1db191ad8fc08e5e1ded9c80bd428624eec1e6eb5f707405b0b2209cfc6d3685e1c63811c78f48fca2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a729f9a973d37f296d0fe93de1e9269a

SHA1
dc9835d4b1da78d0429f7f701ff20e721ea2ae1a

SHA256
e3fddf2db1c71c6e7b214e6d96fa20b8a3ce2370aded0d33dd47df8ccdc2669b

SHA512
426520f0c9a3785edbd6dcb24ea3c83027926ea7d8b2060f204cff1c8acafbb46cbad996c2f4ecf0c7ca57b45b9077e69a10841570c062834d843bda96394bfb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a6bfd6f9547278bfda99d5a4654d549b

SHA1
3350fb28c3ea05171fa43d49687716e5ce92c929

SHA256
d665b870cd5f8117d76007dca9379bf0db528ff1b36a1d33e89af3c79260e14b

SHA512
f66bc23813f83bbf476e618c3da64ba29596b2a1e804eb19b5da878d169046af5b870f38a3b6117263309a89596e5e28d332d4af4e81f66f482b103acfbec3d0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0de9c966a630dc82f6a90eb12cac44bf

SHA1
979ce120aec0e614e7884b4a2f2c4478bcf0c6e1

SHA256
09ecfaf1856ca23be07277bc97d4c450874ae9155c3fbc727f4fb88f5f0e1f7c

SHA512
4bd510557f47fd560d71fbde6c8d1180a4721a15a2d6912058efce5b4c517eeab77c1e2a2eb0ad46a082870f98c647da4017075cd0bb83c5c60d266e376d02ff

Download Submit
C:\odt\office2016setup.exe

Filesize
2.1MB

MD5
66c5e1dab814fbe8b5d7ce97fa2a4584

SHA1
ba593033cdbf52415573086c92aaa200907cb13b

SHA256
354e17fd0ac506ebcf0cba25f22ab51c2be71730847ead6abf2cf15464163ba2

SHA512
d01a722496ff9c41cff2fd01f9808d986fb75af0d7e344969870858dcc172d89311a2becfaeb40de700df3ffc13b6b8702729d9ee03ccb61c8c924839c5d88a1

Download Submit
memory/1584-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1584-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1612-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1612-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1612-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1612-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-81-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1664-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1664-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1664-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1828-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1828-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1884-49-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1884-51-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1884-134-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1884-43-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1996-386-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1996-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2192-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2192-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2356-54-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2356-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2356-64-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2356-61-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2356-55-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2432-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2432-69-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2432-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2432-7-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2432-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3308-474-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3308-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3384-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3384-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3444-475-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3444-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3484-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3484-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3484-89-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3484-95-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3524-391-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3524-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3608-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3608-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3608-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3608-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3900-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3900-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4352-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4352-102-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4352-106-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4352-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4388-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4388-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4520-347-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4520-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4536-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4732-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4732-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4876-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4876-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4876-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5008-332-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5008-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download