63412861941909a1859295f492a09253a3c019b1a346202f39c05d20942148d8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Size

1.8MB
MD5

2d120cd1ace0cafb7a2dc788329af277
SHA1

8175ac5f8869c10c7f64a8a71aedefbae18d0c67
SHA256

63412861941909a1859295f492a09253a3c019b1a346202f39c05d20942148d8
SHA512

c047405accb06cc70a09532b29488a1ffb55c953c0ec252c0de0bb70b0ae1130e2da6a4c0e5f39aa7e2e2f647f7327a0e04034c2b635a5daeb73c5415400b96d
SSDEEP

49152:1E19+ApwXk1QE1RzsEQPaxHNLMdFrIe78vH/:293wXmoKoTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeSearchIndexer.exe

pid	process
3748	alg.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
4912	fxssvc.exe
3624	elevation_service.exe
836	elevation_service.exe
3944	maintenanceservice.exe
3920	msdtc.exe
4936	OSE.EXE
1424	PerceptionSimulationService.exe
3512	perfhost.exe
1512	locator.exe
3736	SensorDataService.exe
1652	snmptrap.exe
2648	spectrum.exe
2292	ssh-agent.exe
4912	TieringEngineService.exe
1640	AgentService.exe
4976	vds.exe
4180	vssvc.exe
3316	wbengine.exe
4232	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee7a1e3b92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd0687e9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c640357d9cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db2c417d9cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000150d457e9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095221a7e9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060c79b7d9cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f8507e9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c640357d9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032e71e7e9cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe

pid	process
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeAuditPrivilege	4912	fxssvc.exe
Token: SeRestorePrivilege	4912	TieringEngineService.exe
Token: SeManageVolumePrivilege	4912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1640	AgentService.exe
Token: SeBackupPrivilege	3316	wbengine.exe
Token: SeRestorePrivilege	3316	wbengine.exe
Token: SeSecurityPrivilege	3316	wbengine.exe
Token: 33	4232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4232	SearchIndexer.exe
Token: SeDebugPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4232 wrote to memory of 3116	4232	SearchIndexer.exe	SearchProtocolHost.exe
PID 4232 wrote to memory of 3116	4232	SearchIndexer.exe	SearchProtocolHost.exe
PID 4232 wrote to memory of 2572	4232	SearchIndexer.exe	SearchFilterHost.exe
PID 4232 wrote to memory of 2572	4232	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_2d120cd1ace0cafb7a2dc788329af277_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3736

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2648

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3992

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3116

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e57df21497f25eda01257db5e275cdc7

SHA1
2fe8917dec57a82b22c06d58bfa3561237cfe3ad

SHA256
ddd5ee84dcc5929822c594d46c94ebfd7cb6936cd2c7694fb6f619d67f89faa0

SHA512
14b44ab157be572d81b11f985abaadb0e3fc1a9578a289af5efd8c245ac795394827aad3121af976dd520dd21aad862efc7269a383612e6bb4695fff4fdbb3ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
062459961281309455729365698b0d9a

SHA1
bf1c9afb38aafc375d0a679c46e04781af3e0726

SHA256
547abb6149bee7fadcfbad4658cb01d9df6b5967533ebf578d814fd003c394b6

SHA512
a4591469502132757b9de66f603ef6a98511bd655bebfd5d70e64b63e57103bb1716336ba981438398055b65a563669bf3bc8234aa07e6e48f6c09410b10531c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
376add59f6823b450dfe71c4b55fa054

SHA1
b11b3e4f0a6ca44cbf00360ad0dcbef4c24ce67f

SHA256
33cf9accb27338438412b96917400e24db21a4f6cfa1e3fdaac2ef557b807fd8

SHA512
281597f6061ac25f6d9d0ceb05b857df6e2bbf16c7ae23cfc57776a1d7cb95707289836c5a322399b5816a1d8058034f78ab5244f30ee2404f180f3a1eb1e1ad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3c25478b7b95e355032db3b3394f27ca

SHA1
deb6b185d9351c50ab958bea6a0ec9c30268a339

SHA256
3f85451f3a3cabf3dccf0e80dd1bd6229947e50db521ca3e30c95fc4eb46a40e

SHA512
a534ae506acf022c86857a0da0013e55c3d6754029d40e253b5ce2e38cd3037b9e2f2b8df6e1e4c0ec7c311da14fe65edc79056170015c5235af5464ef4c8188

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
322bb8278c44f3050114ee0530f9d3c8

SHA1
d6aea93b6c44d063a8589a1fdf500f28c085d20f

SHA256
2512fe95ce08d139074f45da790c6651f44bb7307e49b9c7f0a89ce4becef4e0

SHA512
654765113205b52a313be924da5754144c3fd555c455e3305ba27935a8b528ad00d2375f934457184822b68710bb4f9d5b78ac2d21a085061c104b8d8e20e213

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
abbfd871a4d3c12dab2976bb8d8d063f

SHA1
241e64103c7167464e4ae24a0f8e2f3b52cb7702

SHA256
23718ac52cc63f27d2c2b739838528890a60a557a4b57486593972fd236ce69f

SHA512
ba038ffd6a448a442c09c7f167020d33b46be39032005b53f4f6a8e3ac887bdddca901838e41068f3ef9b160fc14c1d470adfedae9e1bb04be131e6abbd47c7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f236783c75e5dd11200780d770153f32

SHA1
cb77b67a048ae71c17f9442458987d6cccff03e9

SHA256
7b272a40bce43e47941c170ec8181e215999eb42d071636500014004f96b594e

SHA512
5d4a42b1602b551c0888578f02fd311e3d2e06eeab74b57468b53d86c4a63b205b4d0b0eb454d874c72c005b15bbc940e9adb5b1e411f43e0bc9a479f6201ca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7f4b3f2568cbdacad718cca3aceed164

SHA1
088350b7ee0f6f8c19d8bf6d794fb13d7fb2009d

SHA256
7f0408d0806634998c3f3059a441ee0d4651a41885f184bd7e9330fec8d9522e

SHA512
e7935979744c923e5ef083cb29cce0fdedca22bccb21a709f5a0cb1fc89b2ae5eee00671a163eb7d87fe41e528d5894bdce84aca4544c65b0a8d6698dc30b5fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
754ae7aff5458d9c8530a298fddaa2c0

SHA1
2abdc1690baec6fbe184c665719806860bd028c5

SHA256
1907760363a47dce69c04102c85d45cde893a9f9ab2bcaf649111418b70b9fd6

SHA512
e73a1a6aedda7e51d1ba82b008c393d558c71ccbdac02d08289b9aa5e7ae31a8ccac6b64223fd7134fa3a42980b716f471f6ffc691b03884918be52293faa269

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67cd221f3b4658afe1819a75683c081d

SHA1
71d2966e4e5e975addef627bc57938673f8091a5

SHA256
07faf201891b293db0d4d5ffff5cdcdab7cf0b6e61541e13b522a767e2c069bf

SHA512
1d9568eb1a185788e690be53acbf51e27994b0b9b22f011e27a5c8fe5a3b2e27a1a28ae102d0d09e9cdcd82be3a552a350b9fbdc13771a6504a1fbab990f88e5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
53acdf776e4eb5e61ad20894ebc8b0a0

SHA1
9c078332e06067fd0ba45f4b8abf8b38690d8a32

SHA256
ae37c7973fcadc0429f95af77136688bf4835250495c3238f2392146108550ce

SHA512
ebf0a57e9fd9c1b549e4df5bb8aa40e58b27df42189d52dca02a09028c13f7edceb04ba62ab23a795521de123a851199a219405482f6b57b504d81fc4ac611c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9567565e03639eebcc5c002d33176004

SHA1
fea0067325ec51387f2f5c46b5dadf1494bf8d54

SHA256
627072d0b5a2247dc4f8805ed426bd3d9c956f4992a85cb335aed0660bec0f7a

SHA512
00581920dbe6cbff7301831b64dd7749f2864214201c6ee93fc7ef6f01cd70e2133f6667401317b3fbfb730cd7d96538075ae17c092bd6bda63062b36b965d33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0f44a00e45cf6c38a138975423a60a71

SHA1
8e249d6406186f608cd216508e6f46200778940b

SHA256
a7f76d9d5c5cd6ce8f65fc2c0d2ceee5fd4f8237912e30ff6ef09a4692654214

SHA512
860dd45ad092ce20acd7d7773ab062b54051bc5bf594b437b2f3fbe09b7f70c728fc75dec107949974051d200273fbdb127a203c6abbe0faf704be39605f536b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2782aa28ed35f7c8d1dae6ec2b2f2098

SHA1
2e3d6fc0631cf46225c719e0977a4053ed563ce1

SHA256
40be69ff58faffdcdcaa0e07f9d4f35fe2d65ef66a0858cf62bfb599e5df584a

SHA512
77d3188640c97999c42715fe91919d6271799cc21761fab4acb825e11dfbe45dec3d41c6f706b2baf46b3f5abb3a02043b517fad9726554160c7241ba8a623b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
36fc5cd77cedbbe1fd8a3d83bc682a50

SHA1
58b3b9d7848799e6814d614e21af852776931a74

SHA256
c83ef4879ac1887ef575b1018f9809a7022f33f60c46ec3667dda985bf79b577

SHA512
6291074b5f2d3c876dfa4bdf4ec3b34a6de61d2470f9fd4acc2b809f8c022dfc634b925db3916418caeef423ea6381e8873dedd0153590d9bd83b7d00b536416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d15346ab579f939fd558e4b5eac822d3

SHA1
14d555b4ac7e759c73277fd0b7e480536442df32

SHA256
00bb8fd2a242dabae27a383de790cc6d1f757c7eee62006e3adfef28dc8aa75e

SHA512
572d05f40fb49b0090608c9aa899fe68e91f090488dabefccf1f0e4c5aefd681f2a2b70b2576858ded989b7efa78bb1cd4300536881a99c13bafa9ddd0f7d1e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
7aad20fcb8f4e62223717a61f413d56b

SHA1
b5506558dc0ca4d9cd3643d8c7758471e5f0abc2

SHA256
3a9bfdf01484d0491f1cf5ea73d5ec2da7f1a3a9cf6763e85b99c5e325567bd9

SHA512
7b43226c9e0199b582c322a827e7cdda59b19d2c8d609d0f528156431f14b3955167c7c37175c006eea90bf841605c5870a1f015e11564858444f7eec18c76d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
181364a62480cd9ec3bfe3abe51ce76b

SHA1
f020a31b988c86c81faa32fb2160524c486ea235

SHA256
2fe359b51d67d4da2244159c25dfce793611ef89b827e352afeccdc4ae39030b

SHA512
3b0f45ab8dfe9c3066419b1264f485a26640e00f1a02effe68081256cf1cd50cb4a103277bd542eb912c9b222f7b186197f9754b61b2a6c184d6d87004ad368a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
934346e5196939dcf7b7f6352f4c71d8

SHA1
4391b83f876c236a67dbb70c51cccf378f51eb36

SHA256
b75cf7a00ea8042309481375f49e98412d4c60eb7e7a220a3c73fb83dbc5dac4

SHA512
dcc35a3739c757d56381ab16178556440797fdd0b4e8533bfa23e8cafdb8665127219333a5c5d158a3ce9477c1c006b973876f6b1b0ea61d8609df08b72b4748

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.2MB

MD5
89fc91f439e6ce44224825e0d7e6ee2f

SHA1
259d77892b5899e13ef44a66f10450d2255f2fe4

SHA256
e21349ab4041a75b64250a533475d39d3c1cc7f07ce109937b44476329cba5de

SHA512
08e7a8ffaed98a8efa16ac47b3a84639c903b3dabae6758b0cbad4b01fbb3c3485b0b97062db256448d93f310194beda2ac34d521bad95e948617c8b24faeba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.2MB

MD5
d26d7806e67d7458481982e53bc78f9a

SHA1
c39083173201a864a0cd1c3e5d68544ecdb838ff

SHA256
89c196f3619cccdd8883e1817fab5f5cfe08a0c15734d512d7ff8dcf501fd50f

SHA512
6699d69415f9bedd895ee9804009f8f0e6ee6f9a83322f19edca2722c20b0f4c863e951c4a2940deba988f4d10d945de6162ce52ae60da763f9740bf37702fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.2MB

MD5
f11fb29db6db671a14cba105958cce5e

SHA1
ee5a6015c3c5df1ab81bad5bda31a07f48b58888

SHA256
df22bd3be3d10d493d53004f8d8d5bf205966fed4d29b57e2976f57202add1b5

SHA512
d7b76213bdbced74c5f10fbb5df978add063f8da6a112c0518881d6581a69bff93163bb59973bbf07c61459f15242e0775c086954b88815c4efc370c13ac216d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.2MB

MD5
861942cd22cb4726c6208a227ac70615

SHA1
6bcdc476f8cd57d97a041485822e700437f9afae

SHA256
67780dd19989e87591e69a02fe1f2c6add4b6b14baf7ab87923436e1db9f3e14

SHA512
d392ca32604c1777f3b59f3c1c1a68107282cd3360f36ed94c279441f35dc41c94486471c14444a387e9db035c5215cc97803badfbf0274e80d999f0e8294ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmic.exe

Filesize
1.2MB

MD5
5ea6bb396a3863345880bd93717b4378

SHA1
cef5863cf349f27a802932edeb3b88c57ae3f701

SHA256
48b7d9a05e915b5964b555c3a85e52a27230211c61c131087062b37d2c657438

SHA512
1e57d2c6e5afe87664fe1f80719e29549f5a6376eecbbc8f612a99c47be325692859ae4c411975a71040018f21c1b13a3f65e121fc6a9a73a4785809b31f6d82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\schemagen.exe

Filesize
1.2MB

MD5
39c3784c4e92ecc501d7600f32e2071c

SHA1
4ba6b3d20b405ec6fbf2c812c334f5e9e0ea5cdf

SHA256
2aec6c90c7e80de57b5da5f392d33d70baa8f25ac7f4a8b93cf7a1b138ade97f

SHA512
87e847a54529118791b4cddf187ae87193b828518877f7a3a855c0a35ba6e777ba4734a9fe9445c97619119a1d8410ad44e6191b2246371f39195331733275c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.2MB

MD5
18e411c7cfc7c435266a350a47b28837

SHA1
c7458a04e6066fbde2c375d9b11b51f2e1a71103

SHA256
b8978aab0529501060c52fe44ed910e54c28ab7f780b78d88974ebf80b316804

SHA512
0d82a062f789a4e770e5a6cfce9bd94f2991b7a0c4e677a866f929f08a2cc70751c805fc9229a991f6f10b187aaf12da7874a60d712c41c5b657cce8c941ec31

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe

Filesize
1.2MB

MD5
d9d50e19104298a144e7ce55d079ed9a

SHA1
6d06d40a04930c6ee36ca8e7066b1a5202f85192

SHA256
fc2be15a5f15b6c79ee2e22d87a0859dacd449554f683b202e3e6491935b6f95

SHA512
7f2127e41aa0885781e414857c626e00ad088f991a2ac47062c153d37165322e9de696ab13fbf39bc5c0dd5dfae99ce5c4f0e5662b77cfc923dd74b6ba1427cb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe

Filesize
1.2MB

MD5
fcd38fdf64d9b4718514088a33fb2ba3

SHA1
e98cc064466b2ebc846873c113b50a5b2bdc4148

SHA256
63bc16a8bb2944cad62ebd911fc9229ef6f902b1e19aa289000f8c5818f18e12

SHA512
a12f63607a57ac32ab0108c83017df401be0f5187b6e795e37d1b59437605de286b0451e8e4f999b1c9620f285397bceb15d2eec68c7aaec4bd1f08e02bab907

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

Filesize
1.2MB

MD5
fa754c2514cf365c677fc1be482b1b1c

SHA1
efb42f2914e19b9205662f44e12d0798f5eed7fd

SHA256
7a364f84ded27fff6e2815836acd4e718f69e095bc82283fc3aa7818b7b22fbb

SHA512
46fb7cd85e2c3c9f727618f7acdf2978be8aace3e7de1333225d5b2f8783782e8022d59ae988bf7e5479b40d9b419957d87099321afbce1a65d92fe37e9d8ed5

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

Filesize
1.2MB

MD5
af4be0044ec7b03239cd96fc7f09834b

SHA1
72551c633cf10989bd32da3b714b050a0aec48ca

SHA256
3f6e5d72fa22e7bb35c35c98221a38690f45863435611184caf472de7247952b

SHA512
6d1af6a71bf2471851b43f26b17c275fabe724d8f99aa0f2065e86b89eefd260d706309e3980c630d34feaeb246e4f73b2bbd19e69fe94d58d609404461867f1

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

Filesize
1.2MB

MD5
a31abcc584e994a3f36bb6c2500df682

SHA1
03ed68fd7795bfc35f82babd6ef0874937356476

SHA256
e159259e26b6479c337fe5fb8628a80f30f6a10b84819ddb72fbc3f7b8454923

SHA512
4bcdb88917511270f9abf8c3cf57f6413af0b6d8626ec0f55fe9c656ffd0c0b7865ca55076d25112c3d716a34376fcda71d17917cc5fe3a74782b1a696904a38

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
1.2MB

MD5
ec7cf269a5f7c104d284a129ffa4c25c

SHA1
3e4275e6cd0f638876a40c2f467ffc3c6a06f975

SHA256
21637cd97a2bf3fcf682e5472341cb0ac4ad6839f31ec324817ed6db8c492af0

SHA512
80e79956d9949e211d0ea62cda8ade3849050af3093ffa68c290468845a3f910627d0f048dc5ca7f2f65b5d3a186a7eb42bfdf06daaff02982e7b58a817cbbb8

Download Submit
C:\Program Files\Java\jre-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
66b01005c1c6bd22e350cc486a1e64ee

SHA1
e8ee9ce1dc4271e2f4e885df5ed4038815e7de11

SHA256
ea84d62548336dd9849c8eb4c140d5821840974e6cf6203636105fbd5222ef62

SHA512
5a7e9d15a1b248a4c609f7511545a253482ced6779291b00b72b421079eca48b652ba9ee843fb9d04250a0fe4fb7aadd38c9761b047bbbebdb00b2423faa1658

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
43caffa847c1fd56f9064b612ae2217e

SHA1
b76e3dfeb383999732d52ed0caa32d7adbceaa04

SHA256
28f77c773002e62d3258a9aafb0bede6cbf0b3c0e92092273dc4d80480389002

SHA512
4eda626277166e6b9a80b67372ddd86e2ce068760c67eb4dd96bd56d23e77a79a4d6f5bef65261f6cc0fb1b23db69a4b406e02a1fd8e3770a794469bee8b5d3c

Download Submit
C:\Program Files\Java\jre-1.8\bin\kinit.exe

Filesize
1.2MB

MD5
c8b0e7a62c3840545db39d5bfd60a8b9

SHA1
3cdafc8ebfbda1d807ef2fee00dcce25d9e75edd

SHA256
57815a0392df9944de211e00d8bbb65348cee859fefd1377bab481378557d89a

SHA512
48c9368e34dd95189fc4fd71ccdb6ab23a282433f06aa1924eb65290f3895680b5a4fba0fccfa6aa4799fab3d0494eb166c29a91b4125b5f2464f49247c98e82

Download Submit
C:\Program Files\Java\jre-1.8\bin\policytool.exe

Filesize
1.2MB

MD5
afb314afd892a6b414d8cb2ef116ded8

SHA1
60d6aeb5aff5b6fae7fbe09d1cc08391dacf51b1

SHA256
3c57edc7b16d53b8ab2d9f947acaeeebcabf32902675425b296bc434cd0c4853

SHA512
a9cc9b7833ea4046dc95464350711468caf5b3fa2feef38031b174fdca925692ab20d4a7f6e082cf6e0c52f75d6ad7d8a1ecb5ee0294e36affae797bb94b69e0

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe

Filesize
1.2MB

MD5
024f04495c35554a7b6934fcd6fb8927

SHA1
4fad8a61760ec817c76293c8c5556e35a0a783cf

SHA256
bb8b383dfa128304e2d703f2726561696f522f0ba5188fb1db28b75d0319ba32

SHA512
7aa65a70fc113c23f99cb462dbad653ae9f18cda206d5a36f65b7883acec0cf970e3e0cca679d113fe5dafccc37b452e2ec79b62bcd330faebab95bbeadf50b0

Download Submit
C:\Program Files\Java\jre-1.8\bin\unpack200.exe

Filesize
1.4MB

MD5
45512540a8221894bf6571dbac9d9ceb

SHA1
88ef3545f5f3e3cbedb8f6510d1c8f0347161fc9

SHA256
b4a64cbbdf42c465002727c742340a7342991e655a6af25b08a67b21a617e1b2

SHA512
ed3c77d59f711b204a8c6f821af56da9d96cceda184a49d88bacd32eb8f6d907f7b0a51164e7f06d689ae718317898935a1a50c8ba4a29664a13b267410ccd5f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
da164f8bc6266fcc5a231dba67b3809f

SHA1
0be4b05537843155fdbe8d9df01f7514b3061c50

SHA256
24645ff0a1d47338155f7fe3e9bb358e4dd763bd29aad84e3666fa1a464a53a9

SHA512
ff33e51c1ab3b53eaca179a3bdea3a99212a957f085f4cf3e01d034b537e597cfe8b5c121b8c8e16d89301201eaebe2f3312b28b7f1ca849393d475e54de3304

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2886b8031f57a9964dfacd930730895a

SHA1
f7b7358cac8f1114daf97c47571a1080485e0327

SHA256
3f75152c996b98370bb253e944aab65165f0c73d99716ef52d099c8b39648c36

SHA512
c861e9d4ba2ecfb28af092a2086290d2c207557b25aefc77c029d45c7132650a21a226c2b48d0b395520e6bb153a0de8f3b1785629edf260cc5a6de1ea82adf1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fbc31db9b4889f18244b584fa31a7c8b

SHA1
6ad00971d29ada19767e27a49aeb231f614314fd

SHA256
9be2dd9c356fb959c821a7508bc6cf0a501bb4461f8ffd40bc3f1636ba034740

SHA512
c8df14b486461d861bbd9c25f099adef0305266c2f43c0bb172b5f414abf14d0b23be9bbcfb7242af070a8c03bee5b7afffe6650c55896263c5976c9b2e973e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
07c15e35d857ff8a19649b190aa6867e

SHA1
862fe8bb7dc8d2a9d86dc2d9eac69b11a40d34ea

SHA256
af65014f75d74f8776eb48dffe93300aad9ff232646d8b6ae2ebe8a1f11e021e

SHA512
6cd7148c9de19177d00062e6b897f0d6501099dff7dde4a6cf9356dd2aeaf1234ac87537ca77d844f1308339605674713b548ecef62651a6307ade8171a92d74

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0471cda9d6ae3c09a2919a5eb94936b9

SHA1
aa4df96e2637f7df5adb8d5d5afa7c53a3636b5d

SHA256
2ba3b89eccfca2125baf9081c30c1d3a41b1486a6c35954e3156c7c9b1d1af91

SHA512
64f079364800b92d20943f7e39f00effb8f7d3e36e7241645572b55a1dece275c254fb035f5207e13e51f21d2e8259d507b938467c6ea984853cebb831831cae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c6a26f44196a1ac22391024930a5c460

SHA1
d0ae72dc10f76bf5651b775d9db81f01fbd92baf

SHA256
fc3740b06b73c6d5e027d4b075302a1ca2a2d279865c251eddae3d2c1da73df9

SHA512
eb84d1f15e9723de963a8b320f9a63adbbe8842603ea1798ead71752485a18144b1607f41663638b48b9462ea375a6975e44f6e69c39e610d6bcc3095be98550

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
328242cedcc4f90fde6c55203687ffc6

SHA1
787788997b2a8035656ff1f5f1d956960f16ceea

SHA256
327fdcec7cacd0a1f838cb9a3a718c14e33a9b6b8b4f20b0a0f3d6c290762ed4

SHA512
a33d82373ded4ef0e61e750a43814eb4c292418c4f748228a2a29b4fdd4f5492e6d18abf7a6adc8611ed515ee88a51aa00308ed1626cb5b2e784bd62dad352d0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2fb27955a9a6d2e75e0ba111f50b7461

SHA1
54c545c463a498c25f86a0c177adcd1713c95f54

SHA256
c0c658d629b6a6011d2d601f81308ebdacb8648dc149706122efbf73dba36e83

SHA512
2877fe2cc9ec9a03b73a5ed7e96db8cab82b411545bbcdb995ce33f38649e46994df3b21ec2dd7a1e908a6d15a23bbac71e743274e448f96c503433cb646c1bb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3c59896b13546c2df1e0ed2a6a56d908

SHA1
005e01ae49415f4568d3d50155bff0ecb84c9131

SHA256
98ad65fba0ee38152f518b49ead4b542d98418cc62aa597822171dc2c9fdef40

SHA512
18af8c5859f3056ff488b5d17f2f26ca59bc838f30e30feea2ca3f17c57349cc2ef77d89c2134484bf79c3aafd374cd1ffeb51a33b63840634f0cc5f07106e27

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
262c289bdb037dec5b95a2292bc2ae6f

SHA1
a29df1a0e4579eb6d286eb1f3b74940506f80dc0

SHA256
4ea41ea581b4bec4683849587c9bfea26e163c86a8cf3369c087dae12aeeb9aa

SHA512
a9f967e2f85488d172d34056b97a0baab2e4d06711e5fba70ffe351810090bddbee05c30ccc39671b81a4c9c3762dd96b52dfedddc67425db09089809e25c59b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ed7e78fd6021e7a6448dc389e7cf630a

SHA1
467f61635cebfd32e10bc78f0241c2e268aeae61

SHA256
aa6a9aacc00ae7d70f3a80340fa255066801e01f9fb2f6fc88fb534b40d582be

SHA512
6a68ab58856ca00f8affa9a8e551b9fd94be6cd2158614e534364fd2fc74c25c0bcac78a956b76a46109b5b51feff31642fea17e1175b9ebed49f54360253b80

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6f5a67fe1ad4f53ea6859994a9f4ae07

SHA1
b9941029b90b34f90b6467b2a2c321c799b622ef

SHA256
3751e7eb2f129145568a2822df7d7b3531291808a61209534ad2303c301c7f91

SHA512
1759dad9653745b7a4ae477b6f9ed83b3615e25e7e37b6e5ed021394942215e7bf52e2a463e5687c0c4473dcbf9bcf37d10f248bef213f4d8fffe598eca5054f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b2221c95254cb8b0666e1595d0bde311

SHA1
2049633eebf818ae2935d7d18a06bd75d2d3f644

SHA256
25ec0f95dda092d37f35bc06460ddb94dee00671409c80091b7f6bd470fdcfd9

SHA512
7b649bc1f56fcbf9b1d0d61601bc35852faaf65ae49792171ba7b52f71d0919768694eee1ce6ad47a08d4292b95f074e2d4f2fb2987fb7644d01d50526f8c307

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
88f0beebf8e50cc94ea649eb623382dd

SHA1
33c9eda27068cfb799ec2289111df503200fb9b5

SHA256
7172ea2e0028d5979abc82763ae09aeadc94751e3e6b318afa060386c2da69a0

SHA512
ada632ae8bdbc567348bd4ea4606ff985c7567639f7d518a85d7351abe80a9c526f8200c7dba8af4dc1026bb107eec9f3b1e31241ac2d83dac8a5d0f9be02273

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
18724e5a3efbf50259734f8a92e8f409

SHA1
eb5b7e19f7c79855371ad38d9372dd924ba42481

SHA256
2842cd0fe465429f2166dd8fc2e478adcd9178f354e9529d9e70404e13399dc8

SHA512
b1bf01ac867bd1b2ae9b48bd1914f692baa9f7118dcf9c6ac14409f94e14c75f9dcdc4b74896b51311ed8a218bfa841d2715c3dedd1d46f69af4606beef7335c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
de92d10babc25700af1a5a615e776338

SHA1
a2837d402e6405153ce8c94cab5d1e27e0dc4589

SHA256
012e69bd5a0d090b0cccc20f99932b4eb8dc8af7908ceb100fd70908b1d183a7

SHA512
e3b3bb5f4b2bd7d52971b9ceaedf31773ec0fbc4114c96d7bfccbb8603f1044ab55238406fb9a9aa5cfa2d0f589ab9656d8e68a9a5502863b8b81880b85e0dc1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef3ed158732d98f39fe201f71ce8c4f0

SHA1
ce48cd19e083b53c88f4b2091bee62bd9025af29

SHA256
ee8226ca89e356cafa5658a4116cc45e37ac898054e71b8c672d4c01fc1aa26f

SHA512
2a34dc14483a28de6c6a1219cca8050c943bee4d05de449743069622ed6b23e524941bbac57c667e581edf999c66f7346c937cea762a626183878448fe6fab6d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ea9ff366a464b2d18bae04d44c885a9

SHA1
16ac4fb2568fcc8d9c229895502dc8cac85cdbbc

SHA256
345b8bfe0979af2fee16c51070c57ae9e72dbc8f7445738c4bab50e5877af52d

SHA512
afdacaddd7a5e20475d9f6a95d166cb944ec33dbccc06657d07dacb7dcdc3319af43e62d5a95c13f5223372e4d83233780ed0391c920e6675ed0a6af8c11d84f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5b74d388cca4612d44c39a2047a8e4b6

SHA1
be878237a96477129dd628b78a39339e692ca291

SHA256
71f27fdc4dcb57f445e7f0b36bb56dbc58305f84d43360f2fa6dabcc10bc83a4

SHA512
04cfd0a28e6cc86566496385bcd10cfe0b6d7f4f3a414d1a6f633ec1f3457ec51cd3ad9f8c88425866b32aa41fc4e7074becf5af78df49eae1658820eab08bb6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6eb766e56ab45509832d6178e2fc2541

SHA1
13a29e8b857facdef631fc4572cb11aa67ef1625

SHA256
c8dd97bc5a650ed01eb4bb8e782e321a9e7efd29f762e29552c5725878b560f4

SHA512
ec224ee1e57578d1e0784b16ce61b2188174276f9cd25325a6ae4298ddab96c3fd70a8a2147862465e6e729a3ca25810d85544ea5a02d431e40d5ab8e80e665f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
13cb601df23054776761770eb3997c07

SHA1
a501ca0ee0412ceb14b81beea4779db98c8b6dcc

SHA256
77e64d8d5b8e92c862d99973f4ba369776d2abd635b73215814c97c1b9312815

SHA512
89342c8192a52ec2923ddfe2fa31cb256f0704dd017ed2261990304fc48142f85ed9c570a161e670644e963b8d487e6989a1f8e30dfe9908066a7b36f44591cc

Download Submit
memory/836-78-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/836-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/836-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/836-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1384-6-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1384-2-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1384-108-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1384-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1424-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1424-115-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1512-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1512-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1640-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1640-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1652-154-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1652-357-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2292-394-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2292-179-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2400-130-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2400-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2400-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2400-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2648-374-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2648-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3316-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3316-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3512-234-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3512-127-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3624-54-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3624-48-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3624-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3624-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3736-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3748-126-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3748-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3748-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3748-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3920-88-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3920-96-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3920-209-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3944-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3944-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3944-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3944-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3944-72-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3992-255-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3992-403-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4180-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4180-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4232-404-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4232-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4912-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4912-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4912-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4912-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4912-68-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4912-395-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4912-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4936-216-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4936-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4976-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4976-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download