c379cf94305800ec10b45fae2edfe27ee57f7c9d9d583ad5809a1425137a3a62

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Size

1.8MB
MD5

a30e58325f6391533079109b1f628d85
SHA1

2c0c2634def0e594042d24c448b97dc8e21cecd6
SHA256

c379cf94305800ec10b45fae2edfe27ee57f7c9d9d583ad5809a1425137a3a62
SHA512

7ca106cc9d28b1cd6bf19eca99294ea630fefcaa69b4421d7d9127c249e4b17802591ed8903a9ebd3bb777c5d33986f15099bd856b9390e61bd98e7f837e77b4
SSDEEP

49152:LE19+ApwXk1QE1RzsEQPaxHNHUlLpjuPA8IOQZc:s93wXmoKvouPA8IOz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4924	alg.exe
1540	DiagnosticsHub.StandardCollector.Service.exe
944	fxssvc.exe
4860	elevation_service.exe
2376	elevation_service.exe
5016	maintenanceservice.exe
3620	msdtc.exe
4156	OSE.EXE
1804	PerceptionSimulationService.exe
2308	perfhost.exe
2056	locator.exe
2628	SensorDataService.exe
3080	snmptrap.exe
3760	spectrum.exe
2140	ssh-agent.exe
2064	TieringEngineService.exe
5096	AgentService.exe
1252	vds.exe
1520	vssvc.exe
444	wbengine.exe
3640	WmiApSrv.exe
3928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1ed584231ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009f6fa9f1eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb4ed6a01eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014a52aa01eb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c6c10a01eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000093da4a01eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a345ea11eb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dd8dfa01eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeAuditPrivilege	944	fxssvc.exe
Token: SeRestorePrivilege	2064	TieringEngineService.exe
Token: SeManageVolumePrivilege	2064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5096	AgentService.exe
Token: SeBackupPrivilege	1520	vssvc.exe
Token: SeRestorePrivilege	1520	vssvc.exe
Token: SeAuditPrivilege	1520	vssvc.exe
Token: SeBackupPrivilege	444	wbengine.exe
Token: SeRestorePrivilege	444	wbengine.exe
Token: SeSecurityPrivilege	444	wbengine.exe
Token: 33	3928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeDebugPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeDebugPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeDebugPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeDebugPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeDebugPrivilege	64	2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
Token: SeDebugPrivilege	4924	alg.exe
Token: SeDebugPrivilege	4924	alg.exe
Token: SeDebugPrivilege	4924	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4168	3928	SearchIndexer.exe	112
PID 3928 wrote to memory of 4168	3928	SearchIndexer.exe	112
PID 3928 wrote to memory of 5000	3928	SearchIndexer.exe	113
PID 3928 wrote to memory of 5000	3928	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_a30e58325f6391533079109b1f628d85_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3388

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4168
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
95811ab20ea77f89e2685058361e9f31

SHA1
e0237511020bcf88c7cef5e8996347161968966f

SHA256
322d8f269100a799a6bcc0506bd3154190ab0ee948462a363d09e48f5c477e11

SHA512
14d12ca6f753787b9156635a9ace0cb4ae7419db7e21e3163083d5c0ad3aced381bb1b672ad8d1470a7ede5e6d75ea98d881d5c91466d561a1ac79120f798609

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1f08ee1dae39d7b9c6d02a96437c50f0

SHA1
8d1bef6a43bd8b6832a24dfa316eb59823b70fa8

SHA256
b197a1a019f8ad9734f7cda50d35021897b77f5269a0d6022110f5650864700f

SHA512
62068b60587a865036dd671e12b47c2d8317cce7d7763c69fb6f879fe16b8acc7db561a3e85ee47fa11b2969fff19f21e621f896780a3f801fc33e94f5662bde

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dc2b279f44fa505c0d1299317960d128

SHA1
8b9035e8913d0f264a1bbb6d8a3ac75101a7d120

SHA256
6bece6d91457a4b2a4338df017fa07ee7b93751b1e37bc13747ca8d443720e01

SHA512
1cf5976cb64a35d78918e3c818f326bb5c1c30e994e275bf8328f8283553c3a24beb392a329e6f8c91e44530935e99d299b393a4d4f70c5e39961ae5e27e1de0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b58be813edda7866cec3f1607ef070a5

SHA1
571ad76e925b89e3c6b92a7abad16c1ac4f54689

SHA256
5e0a705c8e05a0c82997fb0ee7ef39799e8367287bd1a2d6339f05e58916cb53

SHA512
a8a982cbe731286262ff77be918c3682860cb6be7d06d84e098fbb6f577ce71d0422d894c2d8cf4172379a54ebe96e3090aeb1a3a25c5cf0d6a49c69d13d9bee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
040dd4c05d37ab31ddfa17aa7ebb378b

SHA1
9adc26ddfec1b16b56df6978f4d901ac701c3166

SHA256
c7a8c19b5e765689a9f4dddb09d5551f1d75a3e22f48ef6aafcfcf0b9c57d1c8

SHA512
e3f3ae5354797b895ab41e4800af96dfc0e7608493e6547bb040200bcf28d325d4c0a2113ffbbdad29861c2524b7fea385175c0ac486b515fffc1e13183d1bc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
44d5027b1d6135829cd441c9eb1e9dac

SHA1
a476ce8b497e9c9ab57be60720bf962909f2f1da

SHA256
c4073534a0aaf1a25a76fc08fb36adf6a5c665ec12038f485d6398d85f48064f

SHA512
e5b9458a13623b06bbefe0575855abd3646897154c0697149a019d36085f798f14e4bd0af823dde96dabca35ab95d3cd4f030646550ae8063db6c2bee5ce6296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
03dcd6e872e6310643150d88cd9cd59d

SHA1
a9526d697a0f9c6016b5f8fa56918dca4da26be7

SHA256
86a77efa32eb7a419e6c8619dceb7ac4c517bda0ea2ab4697db512f69c51dd2b

SHA512
0d198bed51c6d12e629f0f1d12959f3a1c4028e76ba23834139e521b5748445758413a894d46715dd2c29e61a604313ec9ad2d58b305bd8d607f2bf82c17086f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7fef5954a92ace76e5449da6c0b3b996

SHA1
0b1e63c94acf2d8ac4e0ca25b937f63f6d0a61e3

SHA256
249eedd7db55cd1d39291759743232562b835599ea26f475f13c10dd80542586

SHA512
7777406714b80f1e71a53b0ead5c189cf6066289ee33a20a9e7ef74d4be1db8cb2bcf25faba5f2d8b84c66d707ca1c2006a45cf8e852b93c4bf6fc033e05d7ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
dc5b51937d03ef44c4538e61572e4daa

SHA1
0b7755ccb3e8c840896ec676048e371eda5dcc0f

SHA256
81347a1a82a53007c76eedf2e1bb4684e5b2abcda77c2a180a5d693c05dc76f4

SHA512
5ad5d254a7eb94dd0e2befa816a8ff993377185c97f95307e7d15c0a00c799c19b5f5f47567d72665b9249c7ab15813642789fc0876b8be81f946081d3a7b86e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a2d1115e395fc617f8dc17badd7f09e4

SHA1
2baadf271d6230da950562abf67bbc2e2eb5deca

SHA256
1b3f0557b0ac22636236cb4045578b3f0b486c57ecabbb54baff488f09f439f7

SHA512
6a7ee974cedf3583337aa1fe5e10982fdcc0b5a592c33a6cea887032a63ec0f70c70ea21478898328f1b6a8bd4ee3faf1c5d52298059560137d167ad087b1bff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e16bef63c88c9a5388a74105c3a24786

SHA1
d8a4dc51d42db25eed13f10c3520bc3f39ae04d4

SHA256
b843057e604a87f8e387f522b5076c9bd74dc037ca806d58996b6ee42b7cd834

SHA512
e8d1000cf80721780100aa872b593623c59cc9bfe9b6b18beef541ca0ecdda1f2b2a8cbd04632a86d0e1f7cfa5f91695343ff269d1592877ca5889d9ffe42246

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
b5beb52b5a74fc21012d5ba39ebff43a

SHA1
de6690ac85653fff067223c32f2bc2a650736bf3

SHA256
55d4093fca0bcf9bb499bec307cf8e311b0e98dcb0d6847d149e4d5a6041e33d

SHA512
95d21f7ccd7780b4ec5b2a54321a94b75d188252802214192f35c687ca6f44be11601ae95130cb1018543fc89df0cbcdc307f938841fa9b083fbd5e435dc1292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
8674085626d8e48be0768efb838db911

SHA1
03c254830a89ae70ddcab72fa3bde8037ca7ed6d

SHA256
09c8c17095306c6c3ca8af5b163f457ad26895958aeea6bd05a1588d3a124404

SHA512
c060d24549e2fb4e4e58fe267f96b997f99f49e7447a1d9ede31f4744451d81d885c5a7f82fbb988cce162a21a38336d5c87d07b21d88e143e3100f217160dc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.2MB

MD5
2a09fef68c21d7922aa48ddcb9cfcf39

SHA1
c0170d8f778fd573508cedd1fd4708478542869e

SHA256
44ed238677bdde937a324d496bc1fcfb5cea40e686c19da11d4fcb460ea8cb11

SHA512
897c65d2d6bd17f4d5a3db4f29a6853a22e39cd9e2617db662b76326d7c7f8d7780c19fa7324a5ce6c35203d9c781811ff35e3a9fc99bc483e9c183c0678646e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.2MB

MD5
78ea8b4fa59686b1952d99efa32da2b5

SHA1
d88a90e595451cf67e34c3249a4f320e8c8496c4

SHA256
ebc61d5115fd4aa41eaab8b7d413f84f06015c8a056a51f6ab50d81f68899d4b

SHA512
cdabd3937928a9d296e03c049f0c41ba985fdcb7e4c1082143860baaec2224c561e586d9cbc4b5056d5e28478949d49845c0a4ba8b580cc8e9068bcb55615b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.2MB

MD5
c74858fcd78dde68ba6db84424368829

SHA1
e1d5b6ffa51876451c4773d5cdc29443e351aca4

SHA256
1de958b9afa05f0665a10ed15ebe105636f4a693ad693146a87365953257dec6

SHA512
d22eb8b9fd38109060f529d1242654b2820bfce1dd330c25508f0105688541e9ee1c40db20f97f937e320e3dd8b2e2a1107096e9e21cb6b0a0c5002a0d2421cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe

Filesize
1.2MB

MD5
ff818de6cb18f947499bb96db8786aba

SHA1
df68d728d2712f87fa70e8fe57a017c9ce5a7adf

SHA256
16f5a8a3b7dcce63ff60cfa9c9e21be8abc6ebfb6886a3a90f5736df926fd73d

SHA512
c12f2a920b57d7addfcaa16e9b5118af7ba6c9d84022044301a7e38a4f37383d5bbfc8aa7b5f28498496d3f4f75cb86354c9a463c1efa28621117492d796dc81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe

Filesize
1.2MB

MD5
572453ab2dcf4bfc2b0e598fdbeeb772

SHA1
aa564b477dde7f1240acefd4773895b0d4b7c419

SHA256
4cde5a330345dca2e2cd377aeb7b07b40a850120a6693e1460de3a2223a934e5

SHA512
259b2ebc2e803f3c02dc8cc946d30ec727245ce13e1fa8bc80d0a7a30637d10e8cb19799a0e4d746b410df0056c18bf81323593fc602e3f34a338ca8e819e53b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
1.2MB

MD5
654b49be77d76e6e1f90961b3e3ec7f9

SHA1
5fa290a89f861876bd34477cf917e9541edbb7c9

SHA256
389b878e14eeedb76b363afd04a4c94f202ff826957785e75312e6851547b859

SHA512
efaf502940ca089891876164bb23d5df8c10ac5160b2009d7ef889853ca98624447be34e4470b4f62ecab44a09226b32ffeea4df8eb21867c03bb83c4cfe3911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\policytool.exe

Filesize
1.2MB

MD5
9346b4cde1ef0186a3259034e838abba

SHA1
b8a04fcff628c5294b1418163c5518eb1bd3cde5

SHA256
271c640e6c4666c6cf03c5d247480c239978e24c95542c88245ff9da92866188

SHA512
73c0419cf2768367fe13b1372c37d2757fa794f48223d44d7b707e148447e40a675e0f0a07ccd52f15090eaafdf30e7834251482db9c25b5e99bfad0ab724e0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe

Filesize
1.2MB

MD5
3a04d0025ab410b22a9fcfce4051f97b

SHA1
81ae94340a99e5add33ab49ed7e1eca06bad2ae9

SHA256
e0dabd287eb969e3aec944625854fe226d4c7b210a37afe7a0463f2984886141

SHA512
005227437732df7f6766862169c23babadfa6b49b7efdd0ba7bd4e7b957785cef7ada423fa49c8c5efbec0605617d2bdb4d7845511c5a65343f787dcd5b8b7e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\servertool.exe

Filesize
1.2MB

MD5
4f8fd3a4731a5b4f498cc8fd1f7a66fe

SHA1
b3418481552788d7c2905df7800b4fbcbb092180

SHA256
717f053f7261efdc7a7a3312957f1ea8e641e809998c5dff14523f97f32b24d9

SHA512
a8f4c0afa59bbce867f42317ab7ee72c71b1e9f7f4967b28b30c788ea4f90b5de902fdff42463bf54c967b1ecf22af2166b4a48aebce91a463e5f4a93186bb0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\unpack200.exe

Filesize
1.4MB

MD5
95bb5ea13b3ce2be69bb4c4ad8aa7a57

SHA1
0e7c35393344ac59ce6aa135757bd7a69850e5c2

SHA256
0095ac6c6a27dbbfebc95e778ef124f574f5fcbcde4f2297a6df7ef8c6cb3ae8

SHA512
1b89e547253380419abfe75aebf7633cc814323c2aa81a387439a0ee25b8f5896251be5d620cd7324a11043dce2c73c00d46b1daeb5c0d45aeec24bab055489b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.2MB

MD5
6bb3d29fd84a99947fd62ad37c693757

SHA1
022a6971424ce4f9f33f3de96542009f6b2a1ec7

SHA256
a388d9501324eb359187f4d6eb46bef4cc0d75cda1c168d801fa5c527b94348d

SHA512
eff3d34f52ba12e079976544e47453cd5e44674b4c5ba9feaa50136539737939d71fdd4b4fd3f337dc30e94cb4237cb62a68b3ad0c1bb5c54ab47e5994833030

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

Filesize
1.2MB

MD5
c76c77eed4a56a7561bed7716675ac28

SHA1
296d44b735ced6774a7decd7822bcefa3b02e6ad

SHA256
5bdd6d57434c39b880e5abefe43033f83398c3f13124fcf9953dca2f934ddc67

SHA512
bd38f3e4651910d52e1251098bcd4551104e01bf43c9e44c38452a45e736c28af7f362e11a9e9656ef598946cffe1bb6339b7a233b66086d117fd786b3bcc224

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

Filesize
1.2MB

MD5
ff5c66aa94e964504898b20899bd48ae

SHA1
3e88926c9aab121b638c3d5602a108b60ea1b308

SHA256
644326951d59cc2ca61515f4d702acc7c62c1ffb9b9a2d6e3b8932483a25c01d

SHA512
a8043c4900f917ec1ebbdf2a86c5d3019860d8a849842df1442e74dce8e85880daaad6e994fb8282d5f5198c9ec8f10efdae6371e18307dbe24b3e8afdbff8ac

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java.exe

Filesize
1.4MB

MD5
f33efd07a133723d87a21c7978182d8c

SHA1
7a43ebb5ccc3f475d94d4f96bdc93183ce0ff347

SHA256
a1d9b0b27245eb9188fc9c3cb422534f3db597df1f1dc5994d494b55b3a5598a

SHA512
7ab195b7d3c1d5b81a5ac4c61a75b6212246a486bef2975dca6d7819fbb8ecd5bb977394f47ca4f29240941db60e7d5cf279d32c60b67d2cf563b4064e631799

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe

Filesize
1.4MB

MD5
860900531d4f6760d574a3d335c62ad1

SHA1
9ef18db7d00eca636127347c218a2b7fb55b6260

SHA256
97c4e557f201e3b6dd5c842e83b2708559b126743f4f1bacfd2b3b7c6f5c5506

SHA512
538cfcbddbb974cf96b140702095b46a0284306dfaf7c22d3392d6ec58c378050f29fcf3329055b4d5d20a7c1287d35d69a3b0dd10bba4141e2d16c26703c8da

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe

Filesize
1.2MB

MD5
247a548abc0c970e1bc428509c3ca676

SHA1
6cc8d3b0ef39c8d557da010870ec62328d914024

SHA256
baa4445f0eef7ba1d641ec9f9741e23535e506cbcd7a6bc9f8a4816a051dfbdb

SHA512
5b0ec1e59a6490cfb7a48fa95a1d079e55884fdfadf7b1315549a58518b05df2e97b0d280a338de6888cf88a50864b6e849592c6dd73bfdb703edbe38bea596a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

Filesize
1.2MB

MD5
45f4665e3eb3b414a677be6b28e77ace

SHA1
45563fb9b69a87178224f6dd7deae7d26134f548

SHA256
98c507234f4923517c06385105121c52deab65b226851acdb93a3320d3635e8d

SHA512
4a61e7340ce26b599f5b31b426d3215d59e31f24cac3dedd5c96284210f283b3400d73fbd08e5da7dc1f484d653760934e9475a2a7feb304082bfe6ae10154a8

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe

Filesize
1.2MB

MD5
10dc6feebc442caad26589b1b829bfc4

SHA1
8f3d46ce8bb70ad5d962c8ff19e545708c4d6ada

SHA256
03a48c19ff0589e3906d8843488139e6554d421e1280e70792bbd6d61d082ae5

SHA512
b68a84f0a58262f88a0386a777730ab3bcc6bfb7679b22521b5f149c4b6bd5278ad1dfe4ae49c87b83e57bc393852f493c07b981036c85c25aeae41c5a81db22

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe

Filesize
1.2MB

MD5
e3bfc37f0f69137372742ddb8fd77ab4

SHA1
0763b6db3938ef6c26ad7de60552066ad6a14039

SHA256
b3874989f613f1e9ee9f10728e00e3c696a2ce8eba50d50bad910b73d640662c

SHA512
a7e22819036f649d48ebb53e0967a76477e978af1d2ce4cd68924e8aab8e6b55e15dc67a890b83cdc7708c4b12ce005a48acf57f3840733ca2f864b2b7752b17

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe

Filesize
1.2MB

MD5
e975c3350d476c0ee1e800ffce5ab860

SHA1
e5ccd8150e078375cc9c3d4a833715f254e6fc39

SHA256
a84eafc645febd926143a92e8a2e3e7ecf08b4e066274988f20818a6bb5ce8bc

SHA512
f787dc087af96bf19982a64407b069dccf5c7a3bfcb5130d51118bdec146d567c5a99a21ef05f1a3e3c002c62fc8a415ad9bc6cfc81038b6f1397303bd8e3305

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe

Filesize
1.4MB

MD5
17699269e697afe40bdd331224077664

SHA1
befe898dbd8f7aa562962e15e1cc0e2d543481b2

SHA256
ee84a7da623e4c8c9dcc9c1e26e8fa055be0a37172ca1eea9027b2c30ea20518

SHA512
5e55913c7142513c6f8a4d6677d890b40df55e7fe44b00c5594b55e2eca9981d39316384da16b7031af05bd54f65e3de811d6cdb265d4f1e3a66bb73dff2ef44

Download Submit
C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
fb883aa90917dcb4ef4c4300dd084c57

SHA1
7815f743aa0f2f7aa9e2f0e58a3d2b9420528a54

SHA256
67c241bf774d98e05ac0c4dc0f92edd41dde8c013b6408e3b34f5eaab8034a24

SHA512
1671627c3e09fa18e38bd9aa8fb7bb2f13322b2193aaf783b31c702e20600879163647afcc2e84e81dc6e28a3696ae5737a70b2af2639c86f05cf279598e27a9

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1370bc71ab7d3442aa51bc2a2f579610

SHA1
36ddc953969d013d77ee81816002761a7ee52f85

SHA256
0df9dbed767c3c2bcec51eaac3960963529c825f761cc2ecca05f98e44da0ed4

SHA512
4b137fb55c3cec0d7c587c923f56708adeb00493b5d30c4a8c8b930650a150061919051f85808d9c924c55cec4f9adabd7e25ed4ea79c2b863e28f2c9baf7f06

Download Submit
C:\Program Files\Java\jre-1.8\bin\kinit.exe

Filesize
1.2MB

MD5
732e73e29e38605f01979e2c9fd9aacf

SHA1
15e0f7a2ffa9b251cd217f3f8133a8091f426d62

SHA256
7a46221007a095279d3002b8f933f82760d3e62668e04a2b8b96a79243f5fd08

SHA512
c3df8fb6a97dd21d96473d731c4f44bc34c0265f82b18febea3fca19319b9d8327956e87cb35ee8ffd3a2c09ec0b77f68a6a9c3bf88fb399382587b552e72703

Download Submit
C:\Program Files\Java\jre-1.8\bin\orbd.exe

Filesize
1.2MB

MD5
be4b9ad293cafc6ed5fbb8e4a55530d7

SHA1
ad6fab5dfc36ee01da8fca8a08baaf470bdcb77c

SHA256
e06fc29d3817547f948768508792f401c520b668a5e374318ef1bdc4e7a3f274

SHA512
d97177885d85779dcb10ce0dbe4cbdcc9f805a9bab58f015820ff5e300327992169d979d233d52eaf38b829959dd36ae3a15b798ecd5a0c21094e7625b346f37

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2cf7baa9c6ef1a9359957ab5710afdff

SHA1
38a7cebef64404b88471b4eb39c6a8a495f311b8

SHA256
7ef637f4bbee0d6edfbeab47f890e1b895e99507fee1e75de05b099b197113ee

SHA512
1248e249b3eec387d31f562a7f2b8aae982a134585dc5497349173f484c130ab5a9ce5de4cd86cff10797e9a2f0bb71f0bb6138ada299b879574165d9b4a5910

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9e85f44fbf6b2cf9373ff6732b810356

SHA1
264ebbd61b0d8c8fd6cd0afdda47b1d55ca172f1

SHA256
7968c957f686d70485c481d809b90bf7685a3c4946c58e1c1cb35bdcf772d8fc

SHA512
bab98d0b181c817722213104154fa82c260aa423dd9188351f09bdd53ac7cf34630517c58cfd76a8edb89a24aad85dcce6260ac1058440db875abceb75edf03e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
db24e304b94b28cd533f6f319ca09d3a

SHA1
28f29cbed2cea259736a6492308a4f457c43fa40

SHA256
b64328fa18dea9b255848e7098e6edc87ebd1efc02936182ce8ef8ea0b25a27d

SHA512
a09883164956a3392b8a143ef8830bcacd6e2c752ab3346328f4fa11cd3f895968ce554252bb9055d10a7f760a12fb3b74b44bbbd3421c13911b0777e70627a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5b1e6adc2f69ddf1bbc2aa9a6275eeaf

SHA1
e672ffdc84057419332bc6d57bd86b79dd5bd7c4

SHA256
140ffdc5fc6d164e5f6e95029917e6839d275b8989e817857c2fc8daa3ecf4d1

SHA512
03fb84e5521c65ceca0e15cd0aa2fbdd361a73c06b84d274761a8ce9162fce2945cfdbc17db57d3dee399c5e54b3a1ae138595a82acb7379ad1876996132010f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf48e9be55b3dac69a2e2e9619871927

SHA1
d7f8e02838388799f5f4ea1942793e74c6fcffe2

SHA256
64cfb36cec7ad54496085a59624f0ed79ef5e6c486f0abd69ad31a81e475e694

SHA512
de586c181382c753718729789299fd0dfd4510f2d6200e4722b43f2c1b84080e428f29ec6386c4837edc8e38e32467185a52a0bec2ae328f39ff6399d02b73ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ec0ef20dfe2b9a504fa29cdf4ab46fd5

SHA1
80c79959c749092b302b310cf282ea4c7d71eaed

SHA256
e0418e917c4dcfc6711d42046e42b93bec73eeb661134d026e56c977d06c3f0c

SHA512
77fd5898defa15e46403ccbc4f7300fd1a79a2cefc2df486c3875e9cafae087d4aff47ed4b5bea7037df2087758205f1e0534ac5a4e7bc819f4b6b9c8f9d2ccf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e091728a89b17be242463a2fc004ff36

SHA1
92425f19f8e8930642069942c8c4ffa50cfe842a

SHA256
b1cce1f36f54830815091d1269b9911158eab8467be090f2f71e4258bf4a2d6f

SHA512
61734ab500123ccaa10711dc5a5cadb7ce59e95f89659f9b71716383471ce2d777ddfb6cb111640e9ae73ef80dc1b6e8925a468a712d7951923e826c7f0b43fa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
56447a0b10240b3a6002b51cadfa6a56

SHA1
5eaab84742615c51974183afb7b88dd24a07fa56

SHA256
43330147c7059f4f6f96de56fa995b9d5fdaf253593f5200309a2782fdcfc67b

SHA512
2ecfbf9aefd40141ccbeaafe55ba25707a31f11e087b56c8c06e804800d2f955551bb192ef38494e5ac9b629f1dda26ead32eabe7f6fc573280c78cecaa5c03c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
99f3be0728ccd5645f995b6cfcf97dff

SHA1
aca58951188a1d601c6cedafa4a35fdb89c02f6a

SHA256
904b5a198363bcda3f9c72a248757fd4bb632fa1dd78c90b6703aec7eb4ac38a

SHA512
9ae375bc07786e4fa4b048867cf6369599a8ebc5f226567f16e374de19e45c8d79152fb5e787a2fc1a982d58c4c8381e15f374f26cb7a7744ada4346ba67663e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f2142e2ad11e5a23b7b0b9d170fabe3d

SHA1
1aee1bbfca0b67bddffef3586a29559f628ad846

SHA256
6b8f1ea61850ec000e7751a9b5b6dba5b8a058e7751600e48b31fe5c0184a311

SHA512
a45d2b228c6dbcb55300879476122e79eaf4f26ae5d3aa2165f017660d8cf0d0c03017dac2fce45243f477c2147adeee68340cc17cab61d90409b70487d0292f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
024ed22014f584c58689f1a423c63866

SHA1
8fb4094d6b7329d22e56c3be830b5e3eac0162e9

SHA256
b677ed59f6762a956e7e9e4f6f129493d51ad46ea6519ee65a4024deed2abcf4

SHA512
c25e735c6735a68c5db3e6e64c06569892a21035dd19fb8df87d0a3ab4d2c2d8c171b4150798633ab75bf87452e6ce78b86160f817de84916780e22cfab6d062

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8813536da6fef3f12e41760de67dbc27

SHA1
5a2771c7fa4199c3432b6762cd3c08baee7715e5

SHA256
5fc401688f2f5c76b91ba2017f162ab555ef8ec9020e76fadbd09476bb10fac2

SHA512
1591d10ec2b9c830b6162be6c10962e923d7b03665958e283229f5280daca7b22d2fa2185be386359beaefb3cf9cf6a6421730e97718cbd2073f88355c5cca7e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c2a246bab2ccdb9b674c555292f8f0da

SHA1
b4961d06ef303cd2e24249f28299d36be3ac5637

SHA256
5c001de7c326900914e902c69189ecba7cf5c1896d30b8a517129e511103af56

SHA512
b4e783227304e551081ad21e35f78026eb65c7c13bbed14c46f1e630b86f9d99125b19eec4dafe98aea7384a2de872c4a378a2c62c54fd76488f0878d5cb6442

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
298d796b1df484044cfced652b13776b

SHA1
9cb7b945aa692bcd343555dacab394cfe0ae7559

SHA256
c09b75ddd589631f21c66fb02bd084076eadf78b1819e3b5335e7b197e8d59bd

SHA512
1e4338718d18dcfe3cf39d19a49cbbcb27c3a0f79abf8d0b755638235732c69db7a64ff3607741728eaf93c3c28233ab1c258976fb80382255b717d4486f882a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2534f79f5d3fda411072754759595cd3

SHA1
100c8015d612c52d34ebc38dfa7e9f9574989279

SHA256
23501a6904b4526c3352d2e29e74e61592bbf7b7fe3671fb7a4e220c8afa4792

SHA512
11f6fe58ff74b7cd84724e985ec099b3a96907688f5b4dc05d4748af7ce49c5db8359b65af5ebe9e4a6e20639ff3e772ff05d69dfa32b6b6d17f5ce42a632aff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
19dc9b4b96d8d7ebe5b70695e5ae2874

SHA1
37834b4119862bb4e7f2853d41042c283f5bb7dd

SHA256
2f8bf234aa64c93999b3634987230442d56b7fffafcf4d49cecaf84d8fa9e801

SHA512
e63ef98c9348a041031fdb254cdc734e8e8dcc3e07341d7a1a06b9599a775c7696ab1ae3cce154d2e5b52f9d8685f9ad3a0d1f4341969901aad631557e740130

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
50f9d5de019597245a8acb96ded5328c

SHA1
a45be2e194e171c8bb5512e6fde588f538287014

SHA256
958e305b33e8e69f617618addc5e8541c1ac934d6e479a5b907aaa919a70de67

SHA512
321aa72d41bb92dbdea3e6fb8ea81f8fedf6ec3fd7d6012a1d81948d5ce1f5f2e55bf90782314f817aaaf0b7a4b2bd2f31b67bb11a9853b3c617e1350030a48e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a249266c4778a60a5e3e46c1f611200d

SHA1
b7781e1b9d557cff8d5993180bf2605583f309b2

SHA256
69cecbf247b9f006dd281816c32284d5f84495d0be016959b92147267575399e

SHA512
5ceb10f8d83ef9c540b23bf24de0b3318c9634d8954c6a4baaa10be79063cc75267c75d0e8d064c81d2038be74382f04d5d747feeb658388e528fb5e05873f4c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b572617cc2a0be008a78704d12b25905

SHA1
45ee31b3d505270edc2d927671bd64e807bac357

SHA256
71d5ac4e4a1cb4240d5830f8f3682b52522437b25015292ab71b9f59e822e58a

SHA512
d306277db98b5aedebd244f5b7acd9bf8b304cec986ca7f0827f536c2b343e4ff4a6d20dea08ff277f19a0bd24a64e752aef0ab786bca9e0889a02e8c605e201

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f0fe314d42bfd30ddbc6f2b223747e31

SHA1
78cf5432b749292d1f55870fef34d61f7edd6809

SHA256
468cf8143842ac3b7cc30500cd9e5cc7f5b6b59f8a242e196ea7b9bcda2d3f56

SHA512
fe57ed2a7d8c8bfc2e0648466ad276b47b9e3baa0b38a7f13b1fd66dea7934b98b7e66ba8ba8a0d241d4ae6bd4928ad80703a617edfec3ffd68a0b96b60ab26d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
093b164f11de502b57d45344a829853d

SHA1
246a9178733db6d2bd887022c312f27b5b513fc5

SHA256
64c99da9eeb7f4fae1cfc4a30d66ceffece59ace11df4fde6a90b1692f87a436

SHA512
bd8cd242cd011b82e6402a1aa79fa6c2c24027b92ddea2a73b24db4688ae234ea61a91cb1f5e47adb74368e731d32d8598e7833f906ae497353352feda6e732e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
64f0d97ad0ca74b525ed8115650d2893

SHA1
312b0f1e51263a11d37dc6f999b7102c91073d04

SHA256
4e6bb5087d44a4991dfe2b763c80efcdf9f6498be470c00ef2ed7d79911857d5

SHA512
3e8fac663c5d961076ce14b3ce93d3ec675a2f75965f814d1adb36ada55f3f4ea1d889c32e848ba3250bf37b65b0eae63a933ea9916959255ac88b93117966fb

Download Submit
memory/64-106-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/64-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/64-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/64-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/444-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/444-452-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/944-36-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/944-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/944-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/944-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/944-42-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1252-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1252-450-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1520-451-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1520-218-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1540-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1540-33-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1540-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1804-217-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1804-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2056-249-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2056-128-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2064-181-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/2064-447-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/2140-176-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/2140-441-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/2308-125-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2308-237-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2376-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2376-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2376-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2376-174-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2628-254-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2628-376-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3080-151-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3080-353-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-95-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3620-86-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3640-250-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3640-453-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3760-163-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3928-263-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4156-107-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/4860-47-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4860-162-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-53-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4924-17-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4924-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4924-124-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4924-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5016-82-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/5016-175-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/5016-72-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/5016-78-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/5016-83-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/5096-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download