7b19e1ed0daf46bdd7bced280d1628c37039603388eaee648644cdbbdfde7aa0

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Size

1.8MB
MD5

4210e70325aa1b671aa7a1caae65bb7f
SHA1

69237a4e836092b02d7d974800958671b5e2009b
SHA256

7b19e1ed0daf46bdd7bced280d1628c37039603388eaee648644cdbbdfde7aa0
SHA512

a5f0f2c5d21722f630b35703c574efe0e5c41e8e015c412a3242405a29be3dd344436627a064a270fbfc86fc41b7754dde1286744fa9ebbe1f9f07e121bc089f
SSDEEP

49152:aE19+ApwXk1QE1RzsEQPaxHNQblI7a8K2mFhbrr:/93wXmoKMlI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
656	alg.exe
1208	DiagnosticsHub.StandardCollector.Service.exe
3744	fxssvc.exe
1600	elevation_service.exe
4772	elevation_service.exe
1680	maintenanceservice.exe
3716	msdtc.exe
2320	OSE.EXE
2084	PerceptionSimulationService.exe
4604	perfhost.exe
2704	locator.exe
2344	SensorDataService.exe
2952	snmptrap.exe
4644	spectrum.exe
3480	ssh-agent.exe
1648	TieringEngineService.exe
3656	AgentService.exe
1512	vds.exe
4704	vssvc.exe
696	wbengine.exe
4132	WmiApSrv.exe
2376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3756127db3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000840c6e903ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b5e3e903ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c16eca8e3ac3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f54769903ac3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000437f67923ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2d2618b3ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e69777903ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b635873ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d45ae17f3ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Token: SeAuditPrivilege	3744	fxssvc.exe
Token: SeRestorePrivilege	1648	TieringEngineService.exe
Token: SeManageVolumePrivilege	1648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3656	AgentService.exe
Token: SeBackupPrivilege	4704	vssvc.exe
Token: SeRestorePrivilege	4704	vssvc.exe
Token: SeAuditPrivilege	4704	vssvc.exe
Token: SeBackupPrivilege	696	wbengine.exe
Token: SeRestorePrivilege	696	wbengine.exe
Token: SeSecurityPrivilege	696	wbengine.exe
Token: 33	2376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeDebugPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Token: SeDebugPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Token: SeDebugPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Token: SeDebugPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
Token: SeDebugPrivilege	1364	2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3412	2376	SearchIndexer.exe	115
PID 2376 wrote to memory of 3412	2376	SearchIndexer.exe	115
PID 2376 wrote to memory of 4436	2376	SearchIndexer.exe	117
PID 2376 wrote to memory of 4436	2376	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_4210e70325aa1b671aa7a1caae65bb7f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
9943bab6f6af7d7c4ca4352446a62334

SHA1
f20366ad27312ec6d23d6c0c834e8abe9fbe63e2

SHA256
8aa3ae0cec26ba3b7d81093edae2a9a167d4ace3608e0d51f9249b3cba74e2f6

SHA512
0eed6a2ad4917c17fa8930b76e1217e140aa18cefc90bc029b8a44f7b349123af60c1bda0afb2d237c066a37d815cb765d4dc13c6c8c61ecb5167e0815deae52

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3b6979ec3b91733b1f65b89ff2a31068

SHA1
3eb350e6c33350d73aea2a1e38d321a37d1a4597

SHA256
96ce891fbcfe7e2c6d7035a59ed9564a118f6463bf30d21ccb6affc4353587ed

SHA512
6e942c54a15b39cd2e49f6708fa3d2b08e4681ff18d41d40f74ae1534a5cb91d005676535634dfb70eb745de7b0dc5bf09b0c69b5057c4d4a3712d6f6f405f36

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a2e507a1a8e87b76c1de2a80b3377d38

SHA1
ff68cf66d8331d78999224dc04d40b9d60aff30e

SHA256
bbc9ddeba752eb82e482d63e533464c6cf31e40739d50c9e4edf0656ba4cbd4c

SHA512
2b6af84ab71c8ed3a5e4a7535ef7079e573876ec7bdeaf748f4f36f4ff45c8b05a949e1dae5c246d27a00dab996a278fcf5676e2422acd2890000b156265c1e9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a680bc71ed757c037dad90b7d5e5961c

SHA1
2b063ce9195981dada23390f2d470b525a1c7dbc

SHA256
32de08686ec01092a24b4272e1ea906c630e843bf1707682936312631ec4835a

SHA512
66cafd57ddf9c253858a92b9f241842367422c49fb0e7b071a1b9a935bf72b948f471fa4996bb5ec61186cb580553011603b960a94c3c9d09ef6d45981847e94

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
08e4480d361ddbb422f111bda0b410d3

SHA1
d505b097dcbe403ab2cafe72f5058284b562e3a9

SHA256
41385de105ed93498f8148a322c4ab598b59201dd7d3594849bb6e870024ba7c

SHA512
0be9b3e88553eef8a4b1cc586ff0e1332472c97b49842d55805ce5bd3517e631a52c660495a89ca6aaa7a912df811edb7e71d7090e9177c66bc331d6dfaeefc7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
aa2dad121791a75453179fbc28f6e7fa

SHA1
c2bb0365b247f0a8e28fe4e8b99feecb7bb9f531

SHA256
fa8d035e7909e84bd7093ec3b157447f7bbc991f4693cb0e9c590876419072af

SHA512
c74db6492755893d1bc9f2b40a3d202481f60d5b7ab4d4a15d563a380ffe674dda4ff5944ec47f0f1957f55fdabe166c517b977be70efa94df730a0239eba2f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6ae73a7316338b4aa536f7463b93b56a

SHA1
ff9d2826423f5700a07e6b036bb0097c69a32012

SHA256
1efefc3a0b1a816010173c5ceb3037eaeae1bd1f55b5eb1cdcf5a30e014ed734

SHA512
83c413a0370d6a0f2c6a0b08543b0e9c7751d07026c635d4cec0e69d76cd97f1cbd3977dc13ae7bc3724bcdee8f2ff083cb64c6699e14816defe20fc016ba132

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b81d92502e84aa826a27808f6de795e2

SHA1
ca2e06a87585973b8d4623c801b7fc47053773d2

SHA256
5be6becfdde6651e1e2300e51809b743bad322482fae4de9ba08c65674dac275

SHA512
1a471a60be3c36cc01663c926f98d89578e013b423523aca4acf980b23c9d1451010b2f1c0726acaeb0051c51e26165ef33cfd15e487c666794a7c301b42991b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
47f261e6e4d19535d1f17e0ad7696840

SHA1
4a0617345293447b5ffeab2fc1f1cd1aadfb62a3

SHA256
522feb7f0592019311368f60eda63a6f4fc06a61fdea63d7652510def6472d2b

SHA512
3d7d498a5879de85fb72add4fa8b428cfaa921e2ebd6e90bb25065060228193c0aaa4f91ee4015526485970513b7d65a0d47d47fc2ec8b7d115c77174132763b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
6.2MB

MD5
9969c74ab770fe1d329e987f2012bc86

SHA1
62a002ec044213e13fc88e2a2e53e919b95097d3

SHA256
b9bebe4c96ff96322b6c5b3a8184b4445465d21278411d3888d8275ec8e4f111

SHA512
0fe385745972d7da0f9bb278ea3ef29e5f2e5f6569b8c3750f0ed2b09d0a4f04be39f554cda9710b291cde29b60c3e6d55f607fb6c6d6118357e007c4ad6a7ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3a808339bfcc4091232b2d797b847da6

SHA1
48936297b0cb835bc0fc82cbe946379d23f8002f

SHA256
1105686ae6b90afd672a33a8ca9c63f07d19f27ca492ce13df6815190abbf611

SHA512
49fb0af0c32b0f8ba3f1fe05e7ec3b0097fbff57c916552456e1094ced8cc568c65cb20a2eb1a2c6f1adc83445946cf01ab91a3115cb5ccd31a06ffabbf7e985

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
16acca7c4ff985f5fda581e590046d78

SHA1
467c23f297f90329ab987f5d0f46117b88119eb6

SHA256
9486439a7b0fafe445d54b9953c37122eb5f9baa2e9e669e0330c5ec0f32e4db

SHA512
02f1aa5dec640719d1242113ef665ba4278778b26a96e98c7bf1b2288239db98f02130b794197e689a68d25dd6f0fd519bdb3aa478fe29aea9271814770db0d6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
87561459df74ad5d4530447ffef6656b

SHA1
165969757aa77f2e976a34fccc40e147ac200476

SHA256
ae8e730dd7f686756d0fe4a5177f20779a592bbc015942cc51b39936bfe5da5f

SHA512
5ebf835323c262062c45da50cbb7720c060e4ae9ec0cacf7eff7f8eeee5e6a0cdbcb90f34ad199ebf274871412074a471426db0f0325b83482bfe5316d9999d8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e4ad5b4c58d25bec37e1f3b1ed26d78d

SHA1
5dde12cc96735e4d7166d93034ded38fa0484eef

SHA256
7a6c3b21a7176b34c61955a8d4ad707cd4f739689263f795f39764d91dd6289a

SHA512
f1d3f7807e5beda10520e963b2de9a92c930287961622be3661304f791d7dba0c73105dad2c1d705247e65cb270decc4321090ecb18d40a2e3a838d2efaf422b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
172a9f65d82de856e2cdf569be59014e

SHA1
0bdb2429aaa57e03717930420726e9d49565fedb

SHA256
b1862dfb73518564f814fd74024af52e13f2c15f8c4eb57cb11d368b1014d078

SHA512
54255865be54970e939f93b8ea76aeeebc018263122ed707dc69a181306fea3e205f0f6dec32da02a0c59aa836bfe120f944cebddbed2a1688cbb0de666beb29

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.3MB

MD5
9623d6d376c33f0fe23b08fefc8af9ad

SHA1
e1ddc5a2aa810c2c71a4f723e16f2e1b996836a1

SHA256
06cda06258a304eea233cb647e636376b21c47286a8f7bb498b80f12fd5e5431

SHA512
33c465e155aea1417871a47cafebf3b75d3b3c50505d65c00062b5947c60130f0fa50da2a5843b478546cc9e8ba17b6c5fa606de01847702e4e3c9bd71bd97a4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3b48f728dd39168659918b87850d179f

SHA1
057c6a1ca930107e852684efd54735e6ad782c24

SHA256
69e85a5b53b48d2ba5da38574532d61333cdbeeeb249f3950cb6b01d4df6dcf6

SHA512
9dcae6d6e7138d1e6e26f810bd7b9929c1d421b96ae2c84b06e86bd1e5ab5ebf15c6624e38456fc8d671c055b5a14e4795c8569d79059b7106cddd5fa1df1e74

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
220a557302a7d2dc20f904619283ec32

SHA1
eb6483faa8c8298e6c766c14de2232fce3546909

SHA256
bc8c10664e57a49c8b17ab0163974a5423fdab1d4bf41c3943b4e2b36b4097d2

SHA512
542c9d58d6d6a6745d861d099f03ff5cf79c68840b20c83a38082a4b669b7683b6281353643a8446335e1471ac43eb62117c0b7ec30bd6c63366390b4cd7ca6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.5MB

MD5
23ba23372b54b88df1d0baa90fc3d08a

SHA1
ebc868e1fbafe27393b1b8b36bcae6682a9c7e62

SHA256
232daa721ee43fa4bff9189135b97fdaf057b61dc6f7ab927602627303d63242

SHA512
6a7e8ce2f74174bc54fad7e14ad8af18f1a78ab2a327024d0df1ae1b456555cd4c6be7b067b8868308468f1a890a0a89f94253988d7910dac8b8b5e9499b8872

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.4MB

MD5
5475b4619bc0125eb97fdcf2bb2bda6a

SHA1
fdf8e90a6d2fc6e2be3b212bf9323121d1cda853

SHA256
4ae3c9d7a29650cdbc8a3abcc16138f90dcea86e39e2425ff6afbd5fa3011cdf

SHA512
c80e533ec28959478e609f25f46c37a5b35ec53c6fe7e56b4c9ba6d2dc6aa5a7f5a0971a32e9cf2e074b26eccfa47df6c1a0d2e508a1a1664ba0d65dfe1edf7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
938da4f8a80b362616a6dbf2f8beddaf

SHA1
366e7d959f7ca57306353f43f04075a5b726aa64

SHA256
b9b2ad8ffaa93aaf2737e7ded7ae1917119d6387ae0dc304c986454bd64984fa

SHA512
4d3a11835864adfb040aa01238a6536810fd305d05cf1534d27fea746aa4cf540b2d3970ee9976196479faa7068dfab7fd54fba4b7226ef16bc44312e067c2b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
ede6e530526f23fa7fccb89cedfc1034

SHA1
01b508ff6ca0176ee18c9bb5e79dce47b0815861

SHA256
c7aafe811d22ab3db430a3fe4bf864e37a6ae4ac95a0263d1a167aba9674a77a

SHA512
7c699ac1250f9c22e807a2796a9603537606170fe44ed5e9a27639551a857b65cc433ce717f0119abc48eb0b93607fcbb2d25b843d3f38d9bfc207047c02899b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f24b2cdd8f4b2c296d450a1cf1202b94

SHA1
250405a7083e589b10fb9906962472cf855b47de

SHA256
84beeaba271ce094b0a1f3c128ea5a90e7b797582a0e8756a50448da965f7b94

SHA512
4c18aaa99249316669128f04f6a05a0e8b84423a66071427ee89731c6bdf4c626f98f2397f5a7104845d239bf6aad024dcbf30668b8350643b0e04c5834b3ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
0088c49d5dfaf81d028450ae9c41018b

SHA1
a14af337df3876bed7fa37d21e68fa8da7624ac6

SHA256
cb5e0114d2bd645a05000ecc2e1bc50300f1ff5a5a4c5a89f9bb1579a5bbfd3c

SHA512
c778e9d2d9c887f75776c514b0472d2b007a1792f88b18c39864d7fd241b257d93835202e3d25337a94c09127f5c0fe607584c2314079832ec2dc7008cb5402f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
9f3f79421b443e6522001433b30e6dfb

SHA1
019a64492fcc670963b2f1f283576fee68af6305

SHA256
d7c569890d76c2461b1eb54a2ecc775125413ec4d4db20a16434167aeb918e35

SHA512
c8a0621b68fcc777ee02af0f06569400ca7e69f72af7d002e50a9bd693bdf099b8211ffa51b3990a07625225ef83cd6ef8d67abf4766c2c0fab16b450180159b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
7e62e2776b4b16d9380fbccc5006ae45

SHA1
39a7d7657b27df4522e94238fa697cdd2e0010e6

SHA256
69a3d9fec18cb144803ba69c33bb334cb25a3e038699e245c0fa3a3bfa757e8e

SHA512
52ccaa8adaf079c20cc13e49fdf1121548e5852bbf99d018b9180e91336cccc1e272119cfc5d994832f84fedb276c2a8bf164589455309bb5ceff3ab88b3c2f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
13ed4e500abdac7675618ec590c7a50d

SHA1
1987cd5cbf0af7d3ff55aed38ba53b953f0a4e55

SHA256
ed12c2d96e34fb28a8718a5f9311a260db4352a697dfc78bd347b8708ceb2f5b

SHA512
4df7d5a3c6d560cfbc59e5f2fc3c5bef8b6d8b137358c29b260c92a0a1785747d9aac249c3ecbde14a8af78ab5d71c0fa76851056aecb00ccc80b58e902ca818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
521cbf8ba1fc4fbf28747b507e7407be

SHA1
9df91181aaa51f4d39f9da29854b2caec11b6360

SHA256
5aa4262497308975868b40ab6baac3678e2e2d376ca5857881a67a23bedabcab

SHA512
4bb262b3d0032eae5364dc581b936b14fd0b0aa14e52aa66f89733596b62ff815e73c0e008dd22cacbb80d6c49cc6f90e171f7b3ea765fd99fabe68528dbd197

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
944f1c8c3557ced1b7d135dbe1f69aa4

SHA1
5876aab00c0fa66ffb3a6748b231ae0b7c332844

SHA256
3faa66575d15f0c6fb7e7c80ad04ab96c9fa6e8c296c249beb8040f90525a9d0

SHA512
eb706a6c2720b588e26d01872d223fa7a3ba27221d74faee93350c04b51520f4af48d7b2badbcfa02f9e81ff7eb168bd286501daab097dca0e1f40fc1890d2c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
e90220ceb45e4c54e38121a7466d116a

SHA1
4a7bd350fbb7aaaddad15a9dfc89f9554409b84a

SHA256
11ab0807bb78e8514e2672a4fd42ea0e322f10d80359fe3d98e4a92bd912e6c1

SHA512
8303d64178d6f73d9a934baa77201fa48563bcb17f5dce169d2f653ea1bba93ab24a76d9df1df491d7731e254ff33f86541c16024d520c7f94fc8e7e096c4377

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1eee0adac2378037612d1c14c5f1a6bc

SHA1
9b4899ec066e65032fd27b925e440a4714d6bf99

SHA256
f323e4b296f2b62ee873288b84c8eb279199e5fbfcdfd0138db2612568c4baff

SHA512
5f57025e8180c494b18a12fb2345518bf15edf81907b7ea50dc9a216dc0b0f4fb61f281a66a042638b3222e3bc70bcd5e90bccfb943bbbdc498fa992c34a3181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3fda925366a59bd773bf8d3cb271c58d

SHA1
a85ad02db157a012dec5cd13b17e033224483114

SHA256
2504b894a6df0574d0d2598b50fe29078940b3a80f70419509fc201574aa3941

SHA512
b9f903556bda6d77bfe7720c469584f65a33cb24361f19d1f6f6e3a59a414675bf61972936be276ef3008574552f8df909d62dcd07e59bde745f29493d786f3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
572200b5254908775ee3a65fd28407f0

SHA1
39411beb6af29598e69fd2d7b6ea1ad4a18de3c5

SHA256
afd7728ae0f2a915eb84226b5bc131a17a81be8b8fd461b0cb7ecd9c01566e48

SHA512
f7a36bfe2b289aa2431846170899bbc992f6e720283c1dbbb61543cad6e4e024f1700785f35714ac228b06fe44df88887460f782912027d1ad792f0ffb60a63f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
ee5d2677c2491f044f17c4803b9b629c

SHA1
5f86d4cb1ab3653765299f941f81cfc61936ebb1

SHA256
1d4f7200d6d55cd05af463773479d27ece1f5d39db8493cd11a7901a9737c28e

SHA512
300fdc479686e341c9604c456278083621d84494697e2e62bd0a236e0ba747fb94bd587362d70040c31bc2400238e2c3672887cee169b2769f647c249dbfba36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.2MB

MD5
e91dd96d7042f5dddefe4b4140a206c0

SHA1
303a8c7e9978a82eb482865cd7c5e720bb6ed6f6

SHA256
d18cad47cc540da02d79c90a44ec8a46e9d35d631043252df29fcd7814d2fb38

SHA512
bcbe31d141f681022f74de86818e481df0690e48ccd8e43a3b80d7b6cc5529812ba8e5b8afcdd8dffd76d793d779208f4f878cf8421761298c5faf260207421d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2a963019b83164b18fdb786a9459d537

SHA1
70e3e6852fd066e5ce23ea03074dd01a5a852b71

SHA256
df1e263c0430c025a615a41bb7781f012f25dc22f8db0697e1f596a9f0cc6f7c

SHA512
f712e2c62a709b8825997dd3fe784acfd4b539472c0abc0bd1b356c9f0360fa5d4415b92a25c683da6db8e3f086bc69546f6955308da5c7f6ae3b23c5f7e1334

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
06cc67706771554dfb03c59a8836b9df

SHA1
fa025168eb9e2ad0b390814ec0ad75587702b863

SHA256
25aaa424a460b5b19b2963004731e8daf825cb068e4e39da9f3719c8c853f649

SHA512
9b0f48b87bd0f6b05dfc9c612edbc950045f5762ac71a5fb6b7520da5984ec777d043ce7dc0f8783992ac6c880d3e364f8f1fe642d3d847bf7119b85143693d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1167066a465df2f189addfd7e49b34c0

SHA1
36fa9f52a251c174f3aa6dba059fbc9cfc6c1467

SHA256
d9a6120a6e2879680f345f4ea822028d3a0b4b294e1d196d32d18602c7446515

SHA512
7e3b61ca5238cc0362d79a997724efc542e9911ede60b01e75c19f97c92c0a6d1df2e066b1b9a0fd0dd8780e0c0135f6caed39b899d9e280eb9e53c9eadad29f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3512a96da35e3a345e435b81d3e865e3

SHA1
c45a3d3036ce60ae4a39b21f05238842f821a738

SHA256
3cac1a6771c6c42dc944747a4743d502e2e78b2fd92b8b0e7f1af27ad7b4a0f2

SHA512
d130fe76f4489e4bc8d56ef5c17bea7f302f7bf62171101f3911995b682e4b4381a4e2ea069ec3e3bf4aea90cdfc934e6f463caea251fa14ccf304036896ed42

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
6222d4f54011bd72e8856d0c786bd75b

SHA1
30689b00acbc9a4587e4e1653a7331d568a36542

SHA256
0090c8ba2dbaa6d26f424ee4321599c3528b3d92f37dd13a32905b73f12e974d

SHA512
64f02d5c761f3d1ab4915d8129398fc1de102a9f1d68201912c2ddd560b751f2adda52c6263c9b7af15660536586e176378b650d082140c7e2bf99cc045fd960

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
235577ca26dffb4f15efeadab77b9bec

SHA1
c60dac38a299727986bae295d8b6a2f89520ddfd

SHA256
8fccf6d00dbc6034e2f77f1955083f3c44d7eb63a1583098618b05a77e350074

SHA512
897cd9460c83ae179ee1912cad988b7f9fb8232293c7928d845d34c73c28591ff3b78b96ee5a0ecbd504ed61a4ddecd2bbfa7019af78c3974c560d0b51baa325

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
cecd83bc674434d8a22f0707e9763e43

SHA1
9e5d77afdacc0db323e1e5055f41f79eaf2746aa

SHA256
7795c41b856ec40c50e9616a9db7cb73845989c95cdaaa447b8bd957c6ca5f81

SHA512
c6f6439ea3480c07dfc0de395c2ec537b93f0bfc3cd687f7b9bbe27a5d67bf2aa74410964e166c0985877392ba0e99bff592c09fcbde427e9a4a02b89047682e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3a396d829ce9c6980db5cdf143091b1a

SHA1
18178cfb7520c96a607c32693f47e8dffb9f17df

SHA256
e06f3c586786fb07adf4ed9eff44585538e2f7c9d323f0b777cf50a279262c69

SHA512
515f7f6d813254409f7b81d5696ba39c5ae3cf76c239ff80b61aee9a3058603f41d7c9c2ad61a45960f007b8515b6436e56449e3e33a5fc6c9dbe230ee94f4a1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
ec3eaa78c5b16fc7c7612eea64ade992

SHA1
3d0f85c6853844d6c5e9d4f3251a076b76028376

SHA256
b59d4fd12a14b51c0fa08af44c8aae76f91e02496e743f8a3c33fa199b3efeb2

SHA512
8500378063597a25286c075c17536deec1356fe5442a68895c0dcc9ca2db2577f06f656ab566d0edc1e2c1573cd766e5e85a3f9c687d3e83b1aaa7a87629f18e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
800071a3361ddccc5955af84b81939cf

SHA1
5ef85542dbe054a976e01c51a29c3b39a8ec5a5f

SHA256
b83c234ff200fc6c8f0da3f74eb8f825c32f60d033451c8f2f261aab33e24e71

SHA512
91003e16fe9efb9313609c5e88f692150a184df3a1b0e4d049acbc4560a67f5ceb6a0ae4fd94ffcfb02b682ef3b0e4e07d87e7e2c1ac1891e7b1399bf2412efe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7250dca100b448ce70ef0fd17465b9b9

SHA1
da0f422bfbbd78547a5a4c66db7aeebf8a1f0639

SHA256
929103d7bd6303cc4917c930fe710ebea12875a1c1a8698e4821f09c21cf6bc0

SHA512
2b6412654b1401eaceff202c3a0025a3b1d6711ab1e6eb8e8080aa64ab7782874588b8dc3f719815fa44da1c0dd63b41742c9f0eb752cabc70ba774262b3a7b0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2a05c22327ff8f2ddcfecf23e3a747ec

SHA1
c80ced06b73ed409f9760a068426aebb150a1743

SHA256
5fb0613ab818125609960ded15e000e7a9ca39ee3007ae8b61a6e74b1bd607da

SHA512
91ac9368f1df6eecc34ae03eecf53970f7405bf9ae265de736071f700c1cebd0eb8e4949fb01d3d7b17c2e40aace8c0ceae815de3d3ccd3811b582eb1c7b936c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
7f759dd9ebfb98a7d240a4e9d4c9ef25

SHA1
4feaa70214bec8ef1325e6851001d9bc917971f8

SHA256
58e8a2dbd73656b501ecad4b5e786e07d3820b1a96cc4bf28dff61f8b937268a

SHA512
1e78a029248003882f44f2e56c7e404cee4139c952ccc2bc4a883deedebf18cd0228e633e5dac543e10570777da962030dec525515a455d3a2ec8aa7fc74c1a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7f523a2b7247b295edcd9ca5a3f22956

SHA1
e17ec3307ddf7e125a04f99bc70438522393aa3b

SHA256
5b41fa1158d54d550e4c990c2a412286eaa6f313e32cdf911d33770f9f337c72

SHA512
bb371ec95e313c809c98ec2415bd3dfbb4ae4bb64de71c64da15bdabd9290bf51f45c66846d72abbbd02d6efa0d7e6a112cfa3eeec8a0183eb7f477188c26f69

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
017da374b6b0890b1bb24300e0d0c960

SHA1
933fc4da4bae5a7e15abf9a7b4148d3b65a4be94

SHA256
c65bdb65ad21100a49507c1ced2ff445f4b7ad742ba5e14c391a43709c0bd249

SHA512
2c3654969a0430227b354e6264b480baadac6eec00c6616a67484ecd47ca022f27e92274faf6df6f8a16bbaf9232542dda18ab830571da788130365980c78ff7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c1b12bc69ae8542fe94043ebbe313806

SHA1
61a1142074f8be3426dcb139f92677413d3745ae

SHA256
ed453f2365b8249c584c70d1a0f3d48c4d9a93302ad09c4a0913418ff1b7145c

SHA512
7b91e48d0194ccdd9880689a09467e6266cd7bad351272981269e6b177baf6e7900c4eece18c6138cd457b28d1f3fa4dc10aa6300cf9759f5e06d1b9e743be50

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
df7ce959e63c6f513c9193e2a4dff0bf

SHA1
42a7e8989fddabbab3398b81e6cc3ed46b1c17d9

SHA256
e021cb99984d8a759395d5479c24026d36675032123a0307c41a5c3ee8b1205c

SHA512
f45cda95bdd9160fbe62b49608f62384f507a84d696323d3646b0abd5d3936f1faa0d355e8b86a5dd81f3bf95fa9f70e9f6ec1e7ec6531d05ff592c085500e05

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dbbb0c74f7ccb1884d0cfc87fb9b7448

SHA1
2439c720c8c9374f2e82aa337f3919a775435efb

SHA256
9b8f9e5e51b4098ae3d95b0b5fdc3787d36e13310665c81ece11786c19490d12

SHA512
0dc0bfcbe69c3e901bb2d99ef298b1a0869bdf916bf4f7ed2127777dc63df7713f2c23b432af96f1997c0e0887f89cfc07e3cb2a565ecbabed6082c32269cf5d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
02fe5d419d381a01f4ebbf5dd52ac73f

SHA1
214ad967659bc3a0497da8c992735014868bc725

SHA256
9ac5aa50069acbed86bc4c96a8ebf048605c093a74a9f0de1d02939ef73e1ca1

SHA512
abc444931c0cd0a4e085b5b070ed2556d3a08348d68470145cfd9ec97c41f5f63bf33fc54ebe4af860db36fda6921114eb7d3de99893070aea0880e3ea61753a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
731eafff26358fde13ac436007da62e0

SHA1
1bd12df64965379e67d59134891f33832430ee39

SHA256
f5cac456fb5b310172127cba25d6bc6d0b88b7384a4b834ffc2782b5ee71d527

SHA512
ec10762628cac891f06f4d88a19592c6617fff7c9745269241e352a1354f82c9e1defbcb6807160b0bf3ee7583a508a7e6e13347e5937428103b45fcf1729913

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f9f2ac3f06b0528b0e5ab36a36f2c670

SHA1
102750b029f4cac055c3d078a26f8208f441a0d3

SHA256
82b844bb45e942105784a9644f5e2f2897fabfd2d6641d48ae2eaaa3d063ec3a

SHA512
2ff8816e2924031cdbca30cd83019271ab173b621479a93a3d2a93b9a6d06d6377b44d90a3c797fab4652c5a02286adfaea2df855875541308ab9da77bbe83b4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
14b03e0d596eacc0cb09a24813ad2edb

SHA1
f407e5cfc0df7d9f8c11d16b19d7edf00acfafc4

SHA256
f6785b6c78967429a779bac99be512e1827c300d89f6d96fb89869a0d0b96dae

SHA512
8b8e3375650e548f370e352c213798694f7c005c1725256cffd4dd6174e8269ab00b792ffa084fcf1f17f13883f03971b3ac9cfd19152b6f46091243179cabb2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bb60b92097a9a6bef8d1c80f6666bf0d

SHA1
4b640388f78dd8d28ace68e71a2f0c3072d20432

SHA256
f0f91cb28ebb0775111a1e108202704919baff9addae8f1753ee5e32d500e2c2

SHA512
d38d5e8fc7c82507a33443e9fff5b534456db565a2ba181ddbe12fd0b9bdfcf5b94d34e7179c5fb8a942ed7cf6279de3eb473cab6377f8c9e1e2b116f8d2c233

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
ede02b1ca115da9d4361da4e9c0a2a40

SHA1
0a7425c6e95c04daa449e6199b78d2f4a1409d3b

SHA256
4bef9dcbe1d3bf4e1196c925173f16ee181caeb072697180bfc0fd7ce1fb7e17

SHA512
8654d50ee761f61aa68622945efbce37db0b6cc31f33d281160f41583f563f8c8a1def0ef7e955f2c0bb4e0144fbca6a2aa617f5b74c2b549ea85385e35eabb4

Download Submit
memory/656-91-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/656-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/656-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/656-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/656-12-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/696-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/696-441-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1208-103-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1208-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1208-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1208-34-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1364-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1364-7-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/1364-6-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/1364-1-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/1364-47-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1512-428-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1600-155-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1600-60-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1600-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1600-54-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1648-192-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1648-396-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1680-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1680-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1680-83-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1680-88-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1680-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2084-229-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2084-118-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2320-112-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2320-217-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2344-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2376-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2704-253-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2704-132-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2952-326-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2952-164-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3480-372-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3480-188-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3656-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3656-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3716-191-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3716-90-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3716-92-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3744-39-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3744-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3744-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3744-45-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3744-49-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4132-254-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4132-456-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4604-129-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4604-241-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4644-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4644-347-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4704-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4704-438-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4772-167-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4772-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4772-71-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4772-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download