fa26685234397c8fe902d3473b4dc05f8b40b1b482513b44b95af041a279d9fa

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Size

1.3MB
MD5

98b82e58d9cd48f345b1508842b60ef0
SHA1

89c8b521879dd3c69071f81c038ac664a08aba49
SHA256

fa26685234397c8fe902d3473b4dc05f8b40b1b482513b44b95af041a279d9fa
SHA512

b8b7da9506432058623fdd0e69a540881d67c2a3144db2d81aa3b0f706a03e92a15ab371fd953f811a18ca5e843c32b6f16db006528220d3127a7b1b34c897bc
SSDEEP

12288:CtOw6BaIMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:86BKSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5068	alg.exe
4580	DiagnosticsHub.StandardCollector.Service.exe
4912	fxssvc.exe
2996	elevation_service.exe
1304	elevation_service.exe
4948	maintenanceservice.exe
2444	msdtc.exe
2460	OSE.EXE
1676	PerceptionSimulationService.exe
4820	perfhost.exe
4276	locator.exe
4416	SensorDataService.exe
4780	snmptrap.exe
2492	spectrum.exe
3156	ssh-agent.exe
1620	TieringEngineService.exe
5016	AgentService.exe
1424	vds.exe
1984	vssvc.exe
3796	wbengine.exe
2592	WmiApSrv.exe
4440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\538e139ab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042b72a233ec9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5e5d1203ec9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2455b1a3ec9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000367c3d1e3ec9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db78e6213ec9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002be06c213ec9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f0ea243ec9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeAuditPrivilege	4912	fxssvc.exe
Token: SeRestorePrivilege	1620	TieringEngineService.exe
Token: SeManageVolumePrivilege	1620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5016	AgentService.exe
Token: SeBackupPrivilege	1984	vssvc.exe
Token: SeRestorePrivilege	1984	vssvc.exe
Token: SeAuditPrivilege	1984	vssvc.exe
Token: SeBackupPrivilege	3796	wbengine.exe
Token: SeRestorePrivilege	3796	wbengine.exe
Token: SeSecurityPrivilege	3796	wbengine.exe
Token: 33	4440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeDebugPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeDebugPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeDebugPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeDebugPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeDebugPrivilege	4108	2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
Token: SeDebugPrivilege	5068	alg.exe
Token: SeDebugPrivilege	5068	alg.exe
Token: SeDebugPrivilege	5068	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4652	4440	SearchIndexer.exe	115
PID 4440 wrote to memory of 4652	4440	SearchIndexer.exe	115
PID 4440 wrote to memory of 3964	4440	SearchIndexer.exe	116
PID 4440 wrote to memory of 3964	4440	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_98b82e58d9cd48f345b1508842b60ef0_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3780

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
0f271f4530ef6b40ffad646a95ff2823

SHA1
e4abd0b4fd42b636b8201af3ccaffde15fa32090

SHA256
9b72b0bba05e41caebe893f5593308e3c9697851418502c9aec82859f635a10e

SHA512
f7b7a62d098ad4db5b3c1436e5d5ddab36efac7f428b191d6ad19719d8e6c18c44442b776dab37e1442c7a7cd6e49c43a116ea4ab3a42600feae2c2099c66de9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d4511ca6871a8927ecec799dcacba9a9

SHA1
4554acc4ace7008e80fa36dde2de8e0d5d444eb0

SHA256
fc74b9de05d9ae3b91e8be22e3cc96eeca81e5ca5ae23ea4c91a98ce8f82e865

SHA512
0b6d34ac03c92f792e6ea40f0692a2f9ca9d42f4a291b179ab8b8dd209cadc97ee3fd1843dffca7adabda886bf202d672cd08f040bce73b10e2b353a2987c732

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
dbca0155bd3a616ffdb6e8a6f5ab7a43

SHA1
43f8546adbcdaae7432fb33af3b609cbf950e733

SHA256
d6afcfd2c42c33ff2535a17a08f7dde5bbe7da552974dcaefe811ed4247e66d9

SHA512
0dad60c9ef7b6899c063abc5fcc5f46fd769e213bc13268dd375378154ccbe1ab4d388d0eed0332bc12e597f491446e208c62ac60592270d925ae76c3da69d9a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b2675f5b4669046431d43b0f6bc74e9

SHA1
4f34f9a2c0f15fa8c41b7dce5675eb578c976309

SHA256
d01e586ed25354ebcfd4231d2914857e01d6a8ef4dab8ac40c32c0ab42acf642

SHA512
8828d4cb7d13ceb22bfb7681dda6c91d190c41b6cb232e73364bd7f5e53780e01f4e21948414492a8f73b9ae61d86541e067c3a1af36013e3a3a8f4dd21bd93d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1b7681611d3de130be2fe1bdef3eb60d

SHA1
2f2e5a28ad7b4061c5119952da8f6680e48657f9

SHA256
9ee0784e33e9de98f287888c8f725290dd7f5e8a6bf7800c620e50faf758e4c8

SHA512
4ca1ad5edb222ad96fc4173afc088da9c6d7af0adc44bbdb2dd6328cad2e3e7d211f83e208e76157521483f5f0f1bc7587c7b8b6ca9bac657b671ea6e226b453

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
815800453225e063a89fd5c58c628b49

SHA1
58ca892b51d73bcd1a452d53125a9c78779edfd1

SHA256
1f16d9331614f06d5128631e15fe21890d45bfe9097830e13ed5542ad208d3e3

SHA512
bb8fb9938058097992219693df24f42bd723f5a4cad8db48df2bb15c456b7aa57571d34f29a86ba1191cc4c6fdbda2d8fdd31c2c76c044e87bec970012841d8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c7c7893fd1336a7e87e92d5edc488aa9

SHA1
a228d1a28cff26032095e3cc83821cd9725d6860

SHA256
c185c47fa613ee90b384478d94b1688f043ec4840ed3c65ab466a4b92d946c32

SHA512
28608e82c4af0324c56604312396a3b4c75bc80793b9293970224b30c5221ca8b7a0f389dc807b12b4fce1c75d4a79f720c9fd4a4338757090873df31c87f577

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4f0d40e2aefd46ff861e6350dba6656

SHA1
248a5b0c9d62768712b8f3dc09252eeb9bdb87e8

SHA256
b4835102cb1939a24dda4b4c99e526b6d79998103dfba8cbd5016faaa6b5d121

SHA512
0ec889e904c6f17130c4165f229e42e1e92795e046e6638e47a34e952966a514046ca73368a6115d90136c7c6e8c44d2ab680d08b35b32c45f8a25a708837baf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7abe74cb13d4acaaf4cde091f2475953

SHA1
143e2b98d91ddabcd4b028b3d83a8ca676ad5f8f

SHA256
6b381387976f823126af1ed4fdc96cb426445d012a158638f5fae28e328a88f6

SHA512
685ea54193c0eb6b848f9ce7cbdeb31955551852e3f633eb80e2136eadabc1ee71f72b7e14df1894eb7ba856442acad5a7ca7c3a4c4db0afa70c5ce6a1c193df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b69c22b9c4b2d772195dc03f4e04e94e

SHA1
2813936361cbe396957bef32e54d8c177885d707

SHA256
382eee8a65be84cc3a35b0f3c37dc35a59df215e5f5cf665cb254949b611dbe9

SHA512
61f4139f1a7dbcc8c6ece638c67c93138b93b9b1eb06dc7ac8faba1dfdfec79a982e3415221cdb8005fee7828d42128b10ad682210e340e057c7e3c3b512d667

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6c58376628fa451033d906455a89810e

SHA1
b37836bc0b9333f00e88fc2af69563dd5b65d097

SHA256
62dc0b2b5b8eeff7a9ea52ffd481afda91300eeaac932aaa6b385bd025ad120f

SHA512
2e8aa123abc7fe207769f4b8cbe3a6e514f8f58bbab6da48725a90c6677b3a4aaa84874e7eefec7960a2113f675f7b148e0632f95531b5be19d22901ddc88df5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2dd05a592a674b354443ad2bc1542c94

SHA1
b03ac2820f30f3a57eb9b50cde341cf68b8abe3f

SHA256
c8d3f922aee2e78b0a8ed8c26a07930a701fde4b07a774ac290c522d8f740cd3

SHA512
888ba80960efa15df3be91a98542b33f2779061d1319895c1b42dfb12642c55524a9ccbe63b891aeadc744562bc0f12dba83681061fa6737b6580dd30806beb6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
94098ee1ccf3e73293573f12d6b13b74

SHA1
5d0315e1c5209c3cb4c1cfff01ec44243b3bc9a1

SHA256
7bf041ffb679d0247f24863d6e33ee05ecac1d3c80e6f555d82547944882aadb

SHA512
f0e6a9d4c0aa7afded841acf0515061d3331fc0c74fdbfbc98b0cd48ae3367b60a3d20691603ffcfbc605ba07963ba78cd12bc191551a5cefe095bbefe132e04

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
cfc1e56437c748f26ec36f52287cacd7

SHA1
92f99435506fc562bf2e0c0b17b040092077a174

SHA256
d9645a58a426419f35dbefb32bf2aaeee2cc875890ea68d08dc95c3dca875fdb

SHA512
541783b39de4c671063739e6840c92eeb1d8185695a07b82d57fd2a422e73ec78a336631f0425b1ead97794fdd5c0baeb3a1bc1f4543e97d9472125fe3823306

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
1f637c8f058414924157dffd0df538a6

SHA1
cb8bacbf6c94b3b2d028747068ca87a659dd71c6

SHA256
83b1bc1d1e01907a3ef2ac6b44f9ef9f44e0ceb94c862d8b7b513872a9e0a18d

SHA512
908ee9e88c82d809f1fd501a9f6f94c8a021de8560ee6b1d99edae771d690748ac0f6bfcc3e69256b06aec859a7cb1b08ec993b8673aef7cd5296107e677e8c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
483d3571f85dfd654efc39541d900b90

SHA1
e7ad2747baac98d7b304cc0ac1144b3104bd97f6

SHA256
7cbd065b4095634f004ce88c7f02be7ff81dd6b9c5d867813ab11449e06d0734

SHA512
b8047a1b9fee7c49f68046438e045ed4a159c3ef333c0f7d6e87c454a99e147e0f341011f47001a9fafa2e5b5a7824ba8ca177df67cebb2ba793c97c6483e82b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d42c9c98bf0a5b5e79a64edb7319ebdc

SHA1
b8d98231a5bc2bc0c6ad8927d7b5a640b23f0cc6

SHA256
aa0d46195d85f468502c794f5b7ece4dde72d41d5cd3f40865c185067b8bfbaa

SHA512
a2f6340800e4696d45fd1e726a1295d1e2c2f9209ca6fe13428520e1b1f490c8579d194d54869c73254972909d79cc846f9c8b56b96d4ca7ccf0684179be292e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
2a4cf92dfff2fbafd837619273068b2e

SHA1
35a16150cd8995c5ec531387731aad548a84a463

SHA256
b3b522995876f61ced5002ccfae140e85b2c646fdb9f6a91b80e33e124c57c30

SHA512
8e15812d402759be376deb27b2674cd0ae68ddb12bf669ec2fc2288cc54945ed7b527d5864706482c87623af54fa4560de5f73b12ea936646f73b687f1fa8432

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
0b61a007c917f124a395a95653054d89

SHA1
4bd5149485ffbdb07ce2f748f5aebc41bbf844e5

SHA256
524ad61f1741ca5f1cb0f2744f567ec5e5696ace443b79ac6b3afe1afe091de8

SHA512
60112dec7a604618306e06b04421418195c1cb0e64d5bfe646b609a932bdb0c655faa2e27c62b5bdf0fb59f1568607a23df99a8c88627252254f5139bb2fd2d6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9305abc41c1ac351821749e9fbdd43e7

SHA1
d7610e5fe45c39d85c4a271e36178ff9409033b5

SHA256
efe6106e0e594c17f7e25d70d848b1daaba5233ba621701022af00caeba90015

SHA512
022251aeaf85c2e9fdc00b56f9f6080c345d7a95db608b963b9f0317a2671bc64d961493f619065a1b0f4e0a1d8a4c772ea9823baed7829e595db9b72139e083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
dba1655044e0d9eab18f7c1a7a418e6e

SHA1
af31ff154bcf740e3adcff603e150edeeab7abd9

SHA256
ae5b241c702deb401b198d0a718bd8332c40ac76759e30f3722b664972fa87f4

SHA512
5e68209496ed440186414f5e63437cc0f097f1f5eb898e8e88c8a2aca6d327db9a16e9416f0217cd239f485c3bb9e6a21aa8fff7a9314d636464f2ef4c70298e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
07b7fb07dce77f51bb2114b6b6cb16e2

SHA1
b5e8374eb1745fc74cc41d7d0d0ad8b6a53adab9

SHA256
89e3488e3b09881ea211a7f5b99701b6e8cad1331b0a76a332c1b261de9b89fd

SHA512
0553ed71dbabd64cf15802e4ea26dc155cb160bfbd5becde5f973b7d552129a9b8971231548c3b7c3279a2250647592e02a40e4d11581f50e474a473d085ab84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
830e3ee35ee85db0986053e651e70b0c

SHA1
9e3cd105586f226983607a2d9efcf3ecc3f40509

SHA256
c36fae8fbda46a2e22eb22d847dbe89940a1445143f3f1f0d110b5e37160a915

SHA512
40c793c4840bdf63aacda742ab16d055b8f9e92bd13e443b10771c256b49d40914e1edf8221492731daf36a1a299a2cf14381891511677bfa02cb6afc861d764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1767de6942e00cf61e03d614e7edb968

SHA1
5fc6fa5d5547372abd1e3dacf6f33e0b7e0ca5b9

SHA256
1ab70eec1c3316a88704b4df2119efc50557cbe54bb61814772d8ed6f1ecde12

SHA512
7a494c87b65f37cb4680d03ed0f4d35956524b4305f064a523a6e195593f8190600d677e6cccba7423ad3ef0e05b17eb34c24ba654e2283447432bd4204b191f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4c22dfc17c368653f623a28c8b63d00e

SHA1
bce8e6fdc0149106861f751974e2745111106726

SHA256
922c7fce876dc62f1483f133a8e8aaa35cf9bb31ccc47e9e8293493ec80694d7

SHA512
909d25c4faf71fc2afb29c340f1793f545b857cefc4bfd14c81bdbd08c88d739b6bbd2c4d43705020542100862ee3ee3b371897d2eeeb9d47fbc6445e0e25572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0d1d24a81d00f4b473a7e85fea70b9b1

SHA1
36aa5c8a01c6cc394ad6060b2e1a111691adf09b

SHA256
55b6c71624ee556ed11e2ab85e4c892f361784bc68f1b67260581f81c0a0a3cf

SHA512
1ec4f1dcc3bf6c706ef69acfb696617c4fe78fb32cfb409754ca832d3a344c1a4183f4d8cfbfc825e6e6beaee681e4a19e1931a56070dd6ca0a4d3bddfb725f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2278b3a94f09ef6950ba677f1f035e81

SHA1
e6ce45f3739f9b6cf4d0733f98f029dd66c627f5

SHA256
3dd9029b0866ae8a32da4a6efff57b2ce7e5342db50822a0d030d23486abc6bc

SHA512
a502f2a16ae90d26e2d7c01f601fd72d71063dee6ee299f30efe7951891f322b2bcbaf04cc2e79d313755674fa3b4c96de669aaec11a87e8aa886ef693bc2692

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
671d4e859d67dd1b9d8a69f177d4ab23

SHA1
c6360f0b0c3de74f6974dc26cf8ab46e3d989ec2

SHA256
b418d02a8e557da16fba167eb7f986b854659e937b4bf6c8345698097e947fe3

SHA512
8b8312ab7a05fddbcfc45bc3bfadc0664638d7607646e317889b7be16b6aa4d64c080e99548d606cd8a2ae616343e44b1184ed2bed78e0fa99fbf0ab31f5f403

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8754460dbc97f7f309d642aa9c757a09

SHA1
0c9c6b8fff35b6d23ddb542edb76dc98ff11d67f

SHA256
b9a455d2f4047404f5ccdb1da816d438c2ac590219a993a2ae47234e2156584a

SHA512
ec5073944452b3ccc54e11d9fe97a9f7858995e737325e87bbdb2dd52f789fdae1bfcdc66e8fcd1b68dde7e66cd257add2c2e081e975c3ee87b9c1710cc4920d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
59236952ea1c606d802a30329f36fb51

SHA1
a1cb722d05f5adf91b9a4ba81cff70ef4c2c5405

SHA256
f0bc3113b688fd479e4d9d8268f6d537e12a46b2c112d942ee3f46714e98e487

SHA512
b00002939d2e9181114e27f614d32c760650dba1b371773af44ee57f0d3721b04ad0980925551979a3af25773a112a81d57b3f1e421da15ab2fdf58c66c776d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
410f8800f993ca5f22b6252c2a015cdb

SHA1
5ff25f991a3b0a1bd0daf6f517ddadafeceef49e

SHA256
e9c2ccd38809ea3e9e28ac01b762c147d84fc1f11bccc0d452eb86aa756e23d1

SHA512
9c2976c18398370c90b7598c871b726fa260de7fee9a7d5fd6ba1650ef52ba7b5957d86cbb72bb14edc1efb6f69742f1f825e91bda11f022ed8a8acb5a5188c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4d217785f4c98e0b6752949df4fa7c2b

SHA1
4bc10483fc25c9e4949b4dbf173d9fe4923f6c48

SHA256
e7d93d3f8f93fb867e00e352275163249c62df8268b2aa4e3d9ae23291011953

SHA512
754394921748cd394b4b46c474b2501a5a56c4e1a99bf05752425de371063cbb9051bb8e064b4caf2ca848c520c7e3fc58a6e2576f330fc88027c4b6b3ce14f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f576767d28ce9286654308b7f841ca4c

SHA1
56deca436d3f3f07e974c975031c6aaf7c966c60

SHA256
debc913eecf7df822413bcf837bfd4ee2f97af89b8d2ca1401ece69ec78212b6

SHA512
363f42a4b781dca160baf81c50f836d5a6ff90c715e8f528a91220283b0ae2cfacd8618c15d7b5d8624d43cfdb4b84462b9ff108882cad66466d251cb79c8ddd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
089eb1b47dec48d6b341ee53096e0957

SHA1
1d9f5766bb7beac35b1d5bb6ca5a5cace8fdca73

SHA256
ccf502d9b012c9c268542a88de3f43d21101078c716ac7d213f040d648409acf

SHA512
e32740aae25169016715e1da9b6fa945fa06058a06061af22d28410803cc195914eb5064e13602f88197bba7c80a88f91866fde107535b8f971f766d4c99c4b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
587eac1d6e22c1286b72cb8b60bf1bef

SHA1
db2d4a1a0d9efa5c12f0dba460ed211214710245

SHA256
1dc11edbc7bcf1b8124df73cb848f34d5c5bf0221624d0e82b4dc4975ba64fea

SHA512
535f7e6a69212f92f06005169bbb1eae4f50a0c7594ff84769b13b35acc057b12ac25a5edb5dc976149ca393bd4ef22abb7e074822abadcc8ef8372b7036fbd5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
46e2049cc04ba276cc047d9ea934ce12

SHA1
a85c65ba9a2999c09e762987985cc2806083a46c

SHA256
b14590d6c09bfeb47ece0377af0eb2661fe2919ba8aa50eb0de614080612a540

SHA512
55eaf378681d248c895d6ca07ac08f04a7451eee2941b073cab063aeab1ab7994d7b7e07041ee58d9b647485b49f6cd92b719714f22afb1c5b96b2f191132d25

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c608430eda1b2effc591d2cd71acc55d

SHA1
151486f7eb91db4b93cdf20c8432bea4571d56ce

SHA256
279915b2177929b3157edbdb6a29e22323970ab7a5ec4195ff1296f614ace77b

SHA512
721ffc314cdd79b096bc7c92fea24805e9437024cce4f1f109f5e513fd9f16b89cd5bb3d5c6a02f769b9e9ddbc004652d24c0a7f473d7f2688968b141d06572d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a78bc876df78e73e82ac78bfbeb5b728

SHA1
9cb58647f8481d85f0c1d7ba9cbea85ed6950292

SHA256
6ecd57a6e18408bff0e14e9640fc8d9c599bacee1aef9a137e39c897a8c0949a

SHA512
ae111edd527392ab7e8c66726947096a885cad5fc84b096ac878c10fe0aad170ceb7967effe8c1c9675489001eebcdca0629aed5c034e2e285cdfd53535deea3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c60a279831e703100daaa914f3ba8fbf

SHA1
3740d7dcf9db2712438d505320877f648c4a9422

SHA256
672dea70c39b6f9753a3dc6be84211157ebb7722fcad11b44d693a3181ba39ad

SHA512
ffe26c758f919c0171ece667cbb1dd5f817983a42b36e286c912e15eaae0c4727e3ac8ec17e8c03e7386fc83faef4dc4e60c9fd98c8317893211bdd538a4c6f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
649fb954d3d1fcba8561a803a3ad4a51

SHA1
e03838f287a6935dd57f79fce1c112e112e4f64f

SHA256
8b23f3d4ed808f8ba885c471eef88f17bc141ad0b98fd1a1c8ca120644cbedf1

SHA512
d74447dad7a05855a5adb08edd83b55af10810396d78d3a3d3700f3465ea92f09529f2d9e7fb5e1b960257c2ae0c2846f0e51a8424935d6ae54e6138dd02cac2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
98490090663eaf6103eec57e95c0c6da

SHA1
7f5a767c15b0ff2ab4ac89fdf92c4f88e824a729

SHA256
86faed811a04a164509d8d75797518057f8bea80cc9031565281ceffde5e82af

SHA512
5c3a0328c336f085a33b0e025f38547ed8401f0c418f42022b9f48887f563994d9fd44224a1f0f2d4dab531899bbd841971057af952908272a6611ff5085abf3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9343b3b77d9f6812926ce3de3857c573

SHA1
15cafafb976d4abe64594cc2346b212e6c882a13

SHA256
1b512fb99f9ca3a59973640476613534c06373d207eabe8950226c624e83594a

SHA512
37a4af941758ee5b14171220e79ef54ca57f3eb50b8e0167ce9daa8bda99ffbf926f63851702217d1f59291efb78e36118b62f202120a600f340332bfda769bc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c3ba4dbed75f2df7ba143c06e0187153

SHA1
9573bdca95d467225aab99238e6bde6949a48d20

SHA256
9cf5d792a0f6fcbb778937056cf53733b58169249b2ff44c7d17fff450691035

SHA512
38b89f22174de25b8b43a5f899a6ba8261407a5b4b337d2482c77e3550700f1807bf683809c4d82bf43091844ca518838832f2373394a429df96717177370dc7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
003d6a7dc2a339a9483c5efb84f39e94

SHA1
9322ab90965a3eb309bd99fd2ece3ee9cbf191a2

SHA256
b55caa5e6c65d45435b9026ed7531f4c41847f0e57a7ef457617d5375ec197da

SHA512
35d69a72904d4132f97087f25a233f13ca120bddf1f014592e2924373913d28805a9b32837df81eac1eb438b6cff72b4d89365d1e2bff3db98d1686909e3b217

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
68ffbfb381d3b46d96aa85cd53b0a322

SHA1
9644dbc5fc2dc7ff1aa01373b1db64c1bd2d9aae

SHA256
1b96a44640908a6741cd24c8e2eced350ef325642b81017e1a2e4fbaaa9fdd84

SHA512
57c4fd647d8b096439432f03794e8e6192f2b21cff4b1fbd32d960ce20d1fd38102b3b0b2eeccedf5dab93b4653b1e4f2340e5920daca142bf8e8e45be31360a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
902fefd7891a1d9a580321882864e15e

SHA1
56f11cded614a4f8282440dcdc47e52b504f0765

SHA256
40f8a22d3890ead01edbdc454d3e4dead45be699d357f48051e9b92426873870

SHA512
5969462310ecdfeea2d67cea5f515133d6dbd7e9ab7079739d3f80d6c9b9532fc37f2521f38c1fed1e2d2928017028f00b6b4aec1f28a1bd9d4801bd74216df5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a9ee52e6585d78d07ee3039c68ac185

SHA1
d2b69ffa6746bed019cd1ad26899a698c28898b2

SHA256
b2390ad2c2a0b067c140b7e8d906448061639c04b4633e3d174b024bac29fd87

SHA512
792c731f6fdc4a0af1eb902b4f5911d48456433c124954df1f2ee48c2e492b0cae38895e0ddae7586ebb61a5b740f4b1f4f1c76cef8e4ec575dcdc4a03845cfe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f5972b1799481b0e7cb0f107608d5988

SHA1
ce3e5b20793fe7b0722ed2ed20e6eeec66357113

SHA256
f69a5e280fa3ce91af86794127db871f00c0c51db7e7527908164a53e79b2fdd

SHA512
f38fa4cde275d81fb20a4312c38630a2228154998cbc289bb8b386021e7e29d00c78d99cd5001c2874bf19c63041c466e49633e30d019535a174fd8f08acfeb4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9cd80054374a2de7ca9bd4ce8122261f

SHA1
ef223c70a1cfa9bf4628a0b4a931806d0618046e

SHA256
8352f273361f982837b52c1b7617ae2e07cfa2fa7b7c7540beef029b8bf3de34

SHA512
e3eb348deec22d4af70f711e4e4a0d5117010b0ea08a6be788f9f1485b8faaeb31496fcc6a95c5f800998778e85dc8ae686c284141b71f6478d0dff10411b9fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
36c75cbad311085b65f883ddd501a7ce

SHA1
7cf548faeba7b217af6b1c074677a433e5b34075

SHA256
bcbd1836e8ba92e4f7b6e620b53864a8cb13389e6ba85e773066ffc283002873

SHA512
f62af4360d98d7dee0fce9f69044862fa690b183dd59d2c388f2ae6afded62b77e6d415880115b4c526d588844e29e855bdee289a89da0e6145df0a97cb9e54a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2fd9d7aea8c8a3f57ff60760c0ac6f81

SHA1
6bb98de81e6cfd9bea8faac151e562747146c989

SHA256
f41201191aadcc1859cbd5161a742ffb10fec0d7e5313b67c6a0c4a0f3e2e931

SHA512
1fb3aee8f797bfcf8a532331116fc76c7b7dbffcbd9e522301501bea4ca30cc668d16f76a3687662318dd7802adf1fb97b63e9883208f6e7f2b66b66404e5855

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
58360fc0f9e8cda76c80903b8187d8b9

SHA1
5cd0239f9254ba5ef9cf0c58d81fbb3b457a7d55

SHA256
1c7ca9ec3cd8aa01b429ce99d0bb8caf4629ccb85b600a0b2f986a4aa6b0fb6b

SHA512
2c691b921b101e091ce48feb9c456f701dbcc56fe60a16c22a73001f65e503a2f11bcdade260354bb4532cbe63247a9c3414f52bc8184635e8d733ee5c57ba12

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
be68ac3f6a5b03c251d0faeab0fd9777

SHA1
024b100fa6aff1cf80e4f9a66f03a14ff220a8c0

SHA256
ac7952e9e1835639276952c9b09ca5b0a3d66f50bf14895c174c393a7b3469c1

SHA512
e17c16d9c30e2ca465470fbe6705d8032e6eaebd55dac3bc658dfba117ca6eb6e5abd572ddade3a8ba077b804e2b1b1c95af1825ef234e56cd0768677cc3d191

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d0956d77017084973b2658e1e8be5fb5

SHA1
92464d43bd2d80d845a8d7a4cfca5f591a381eb3

SHA256
e7070d9df96c1245b1c90dcb5c5edc86b73fc210c1d3b4354e1242e29bded9eb

SHA512
12c8e013b9b8d73c05240caa72b51421bab87b8f3b68e42a7b0c923874bd1e03a5e25d5a46d4f80ff92cb15639f3f3ed32e33736abef6a28e6d563b45e5b0847

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a90a82ca3816e9a00fb19adb6b0dba3e

SHA1
cb018820aff9720abce49bf2abcfda1b3c8d56db

SHA256
b155d4ba3455df3f49f5ee36997cd50f34edfe46dac4c033ee3734084cee7d32

SHA512
d6353983de45a0a56cec502181b9fa3ca1df4d758801ae825a8b260809db6d44f5c8c13c3892959418389276bf8bb265a5fe30976b3e5c3c0f1793b03e69f480

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
22312157c8d9fc700d9c0104195fcb22

SHA1
4803330669db064715bc161b33a0688e34f81930

SHA256
4991d2327b9f80a1d8c2bc3147401c7f140774e5d41c2df7b2d3f205c2adecd7

SHA512
6fea343062b6b7ea83d746ab40a7ffcb4e09c20a10730d5c547ca71f0c076f1eda7c26bb0159523d7391e5a75e757c9cca878e7fd2c4b54c6283327aa0c25aaa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
cd1434007fa8217fd148977c1558e361

SHA1
f88bcfe27b7e2c703d418120415b1ffb2058024b

SHA256
e5e3769d80c63e1d714bbdff6110a43c4cbc6469ae5e131d5d2961017331d8b5

SHA512
7cc7249d56a7b74b2ba3452f18bf7aaff6e95e7e0bd935c95d1b519828d873d6a9597579afccc9b798240b21e7c24bad40efcc63d5fe4f665d6fbb3a4c23f966

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5b406680bf34865418bf2cc3d062a756

SHA1
afc178f4d8c8518699e3d47803345b3a0257b5b7

SHA256
d8bb926143841721eb0a3234d13213deec6ed192812281b2810f78775c261613

SHA512
23c2305c5552ded67b6326ddc5ea4c8ca04b848d61e0b8e8bac359d9278690520be699689cb3c0a151b25d8b1aa86013b04cdc7252fa6bd43711586881d2c6b1

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
248e05b6ae386d4bee717228f7a47d25

SHA1
255d50e1e93b8fda301647d06551673137988454

SHA256
f1ad169d46f24d17ed5b32baa7866c992675a85b7ad3b5aed34cd99e4b6b641b

SHA512
23e8be2787c4e92d38e10eefce8090e3d59add95b83fd6616630a4d502069d577bd61f3f83718c5f56f387f03cc5d7b79de045c07b49deb6a4f51c952746b6e5

Download Submit
memory/1304-185-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1304-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1304-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1304-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1424-460-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1620-206-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1620-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-236-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1676-117-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1984-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1984-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2444-90-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2444-209-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2444-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2460-224-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2460-111-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2492-366-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2492-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2592-261-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2592-482-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2996-59-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2996-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2996-53-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2996-173-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3156-401-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3156-187-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3796-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3796-480-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4108-7-0x0000000000D00000-0x0000000000D66000-memory.dmp

Filesize
408KB

Download
memory/4108-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4108-1-0x0000000000D00000-0x0000000000D66000-memory.dmp

Filesize
408KB

Download
memory/4108-6-0x0000000000D00000-0x0000000000D66000-memory.dmp

Filesize
408KB

Download
memory/4108-52-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4276-260-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4276-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4416-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-361-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-485-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4580-128-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4580-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4580-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4580-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4780-162-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4780-333-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4820-248-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4820-129-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4912-38-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4912-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4912-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4912-47-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4912-46-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4948-87-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4948-75-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4948-82-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4948-86-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4948-76-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5016-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5068-110-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5068-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5068-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5068-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download