Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 14:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
Resource
win7-20240220-en
General
-
Target
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe
-
Size
1.8MB
-
MD5
d7a834d84f5bb8c2dcbeb298dbdb2d52
-
SHA1
1c7f61083ba83ab17c3f1d0d0978d41f35bc365a
-
SHA256
0aabcfb18b76ca62441fcc97f4aeef58cae72d3499eb51c81676d5f866bcf45a
-
SHA512
b56964f46a5ef05102b53f987a567c97195d6cb72ac41a7311b0a6e29dad6a4b09920e0fd7d14508aa8e1ed3d0d41dbc73936b9ed7c1a2eb45d1e923a7cb7a6d
-
SSDEEP
49152:HE19+ApwXk1QE1RzsEQPaxHNX8HNUPCAaq8Wdo0:Y93wXmoK/8t4C7
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1244 alg.exe 2884 DiagnosticsHub.StandardCollector.Service.exe 3168 fxssvc.exe 3456 elevation_service.exe 5064 elevation_service.exe 5076 maintenanceservice.exe 4124 msdtc.exe 368 OSE.EXE 1724 PerceptionSimulationService.exe 2888 perfhost.exe 3028 locator.exe 3060 SensorDataService.exe 4292 snmptrap.exe 840 spectrum.exe 1800 ssh-agent.exe 3764 TieringEngineService.exe 3204 AgentService.exe 1484 vds.exe 1576 vssvc.exe 944 wbengine.exe 4572 WmiApSrv.exe 1300 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ae395e8faa61dacc.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6614a077c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfc52d077c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073a350087c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095115b077c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078cfa0097c99da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f48b3077c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f40029077c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exepid process 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeAuditPrivilege 3168 fxssvc.exe Token: SeRestorePrivilege 3764 TieringEngineService.exe Token: SeManageVolumePrivilege 3764 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3204 AgentService.exe Token: SeBackupPrivilege 1576 vssvc.exe Token: SeRestorePrivilege 1576 vssvc.exe Token: SeAuditPrivilege 1576 vssvc.exe Token: SeBackupPrivilege 944 wbengine.exe Token: SeRestorePrivilege 944 wbengine.exe Token: SeSecurityPrivilege 944 wbengine.exe Token: 33 1300 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1300 SearchIndexer.exe Token: SeDebugPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeDebugPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeDebugPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeDebugPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeDebugPrivilege 4784 2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe Token: SeDebugPrivilege 1244 alg.exe Token: SeDebugPrivilege 1244 alg.exe Token: SeDebugPrivilege 1244 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1300 wrote to memory of 4164 1300 SearchIndexer.exe SearchProtocolHost.exe PID 1300 wrote to memory of 4164 1300 SearchIndexer.exe SearchProtocolHost.exe PID 1300 wrote to memory of 3328 1300 SearchIndexer.exe SearchFilterHost.exe PID 1300 wrote to memory of 3328 1300 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7a834d84f5bb8c2dcbeb298dbdb2d52_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD5603a48c4013f465a4434ede58a2f0140
SHA1d7f1a9ed6e97bfc746bf3242ad26cdc7a8633236
SHA256fa00d376ce1dc6180a8445b423d2be9b8a7713ccb967a32ce9cb4daba29cbe01
SHA5123018ee89dd9b9882732ca5d0777735a1299b460659bfcabe86ff7a651d647a6e8bccc9b30736d03ab04b761b3ecc7aa2ea9849547001ff306f5e117d482b7a7b
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
789KB
MD5aeb8cbc5450cff12fac516664cfa7156
SHA12f159980c1990eefc08bacaf9b260ff3b9ce4f4e
SHA256032f1eb7c5434bb678d17baa4bf3adf4a612fbda1eac6765ed08135b14ad5158
SHA512ce04357acfd44a7ee3839544165ac0e2947be2af24e717ca68eafa24369c100446cd055289806b9907de91dcc21e68c7af8ec0417ab6c52f1873d2fe3d563455
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD57fa7faf4340b00adf00afdbea8c92c78
SHA131067ea187c6704095447f927894047a6239fd66
SHA25635908899235ca40590a6613feb14772988bae0967ccbe0ac92580b91bb1af76d
SHA5120741857085426f8a4d041c72ae1e0ad5b48f709eb2fe9fd32d1f02f52d40db03894b94ed8aca89593bb5db2665cf4024382f6b8883eacb6f45b10531abf73e56
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD586be0da84da1c6c0500188c0bed93750
SHA1ebd025a5227bf71ad18f7d3c1cd646f3b6b0df1a
SHA256bba86fd29bfa76be31db8889182468302ba3d7b14efdc60057c6e10706a5b206
SHA512310d284eb368c11f875d2950d4d411e78db6dd35ce017cb9903bf08b73226f6001d6dd605fe6db09c74d4e011b2c94642c6086bc99b988b39aa69c6b3cfe4b2c
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD51463379b84daf8729511a6d1e0534ec9
SHA101b1adb9cc7d962768bf9da0892669c2591dfe12
SHA25660335d98edec1e44b91702bf95775d61df9f20e16d327f7ab3e944b46538b33e
SHA51287f9250a2ae4fb2667ba937c14f3fbe9f0654b546a67e6916d4974213846f7f8287067ec370216aae69a8d60a3ed7acbd0dee94b989a01bf005402d42b732614
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
582KB
MD528a2ca46c679fdf45f7b62729fa73c8e
SHA125e4987371ae9e0f9229cf5a60bcfd12cd1b454f
SHA25687e5e19c4b44dd909cae30ab3e11a6e0c2848423998922999f9cfffb87111afc
SHA512cfc176edb7738f5ad1041d140335b1d12dffc9ad0d004f93ab8a928c7ad820564867480570e531f705d5655db5c51c52dfa661c7457f0031b58ece8809a9dce5
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
840KB
MD5a277121a326de6ab04e499fdb498aa0f
SHA1061bb85b4078d7ff2ce70c0f6aa53d1104b9049f
SHA256fec8236f808a9254d382c2f605af4437cdea0c1f815cd40ba0a268512ebdf095
SHA5126f4628e59d18e1df9493c6674e17a8d60f015036b20a9772f08bbcd8c7fe916013f500f32b96d1502b2429901daf985e1f94d38a6c349739f59dbc63593771ec
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD52a5c309029dd5bc103911c7ffdbe908d
SHA19a3ee6474999b148ce8ec62383e9a14e84630eee
SHA2569a0c3d16721454ade87424a8ef293cca2989f3caff238c528479cc95efc86c6a
SHA512bed3bac49be4df245011192b64ba1516bc8346091ed62ffadc24e0aa384e772a8e34b484bd76c160fb6e1aa26722966061f5fb1091444cf6471b2956859ec256
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
910KB
MD5f694ccb98159fa68189b70d8dfe86edd
SHA1fc199d6995166213d12fe0ab6733b36205e59afc
SHA25688516153faf6e6c00ebf8a34fb9b2445eaff479db90a98a2095287eef2930bd5
SHA51210a51034400e93d20030ff92a600b82f733164a61350e7b9ee030d5dae98a77775af258dfbe38ced4218767a5485c03109946ccad78a2b8c3d1cfc45e4a4b3f1
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD5c38ec67162a208f807333f0ffde296e1
SHA1d20f1677e3cbe5cec2fbdb554220c81668d8b5bf
SHA256da12a5eee52b54774ccbdfb3d3ce6f8b7c779889bf73e84c56c295e2f11fde4c
SHA512abf6a0b1128d247b6fdf127a969a3821ca6bc76a64fb56bf507f9736c857f107cfb1ed200ef56678d992362531cde014417a33e72afed6e42cbb7d122c023e1a
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD58b12cd97342eeca7ee94c64b0cb492c7
SHA1187d512b14c75ee36953cd7e9a33f5a9536f8592
SHA256c01b93cfcddc0be1784d48b32b9a483313843aef8344f4f720e0424934b7cdd8
SHA5122af5f4fcea208118f8dce50e6a59fdd44ecba1fb96254233405ac4431f26bf1acf529873d7b62ea5a6e8abafdceab55ea26143da523a7449d44211e0c049a730
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD5fd01b64b5f5c807e1c5ba3165b354ee6
SHA15ff6dbd88cc0729343b43603599f9f49839b1b92
SHA256260a60e6ec11a51d3a1197df50737bb6c8a1326be430f4707203ba90d46e2116
SHA512faf86d6ebc99f594b7be76585923a4776037c9f4f2f1c98c03fb0b10d253b104a1b0f7b7ab5bcde3d361674addf2c067f9607106ac114f2e44a0f870a0ef6cb1
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD59a77d070e240092e9a12992e22c822af
SHA14bdffece92103751eff31060cbea77b4eb6197d3
SHA256c90533688c734481d9673c982e97562e6f09d375a1c0575f4c01f6789486be7e
SHA512fab3d929e6681c364b67a9018590466b3f75a76aef99f594a19ea3348967e432fc9bd5e6f4772a047a362c36fad82d6617d07ef9cfef9b6cb8c2d79af783b34e
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
656KB
MD55007fe71012109dd6b5e8a4e227b5941
SHA18e58b623f2f421f6e6dc542235192cb10bb37d1a
SHA2564fe75d1fb710a58e681061502fdccab69bd250740081fadf0a9eebe0245ff623
SHA51220ad0cf01a1a529a1a4ca10310bfdc9641f8c6d91c84af0136e1395612d630b6aad236ea5f17c65ccfb5a1acd7c805ffa91627cfa324bb5f409fc9489c22a8a0
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exeFilesize
4.6MB
MD5191c94b3ce769c7d44a7b5f3381fef30
SHA17260a9fd0e3ce9bff1b554729a7ad84846ccf122
SHA256d930a8b83262724c82615c543dc74ed6cd1b970321a3adeae481a6e95ef2c405
SHA5122665558858ac8119fc3fd028fd1c98a9e2faccbc9264702f3097d32c1a7e3a1b218f99d2edbcc9d549099dc85cc989a7ac6301403ea18c5d51933c389202f003
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exeFilesize
4.6MB
MD5aaf93a67c815d674e19a08403ac96775
SHA10b972d1993b3b8142f1d177e5f614e72ccd2e475
SHA256bc37fd2fcd01400e50d4cc44f0656e7dcb471937292553c1fb7770e206899e20
SHA512f63ac045299e6b5a74b0960bb0242cf39f058c8eedf2048a569d0270b23a78c5374695f831efb978a5288ce50fd1faa8e30e06b552680324a72fcad49137996c
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exeFilesize
1.9MB
MD5112d992857424f9f7205add9e9b87e3b
SHA1293a63b4b19ca7c72bbab1487a50d5b750d0ad1b
SHA256f1ec45b9e30b49b3a62439d39abf172ca3fb99be7321ed6a330fb0957f54cebc
SHA51214d6ceb60e1ee3cc1d258bb8106c60a66b06ed51e22191f94fc6f9015ab313b9a837e9c15b95ea686fb8dad216bc34e9c4e65139fdc8248190dfb9fbca7af39c
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exeFilesize
2.1MB
MD553b965869f3a756823fefb89775cf2a8
SHA1074726ef808ca41313ff24693a7cd9671d674795
SHA2565009a76fe64d392f3279fbc2b3535b6b3f780b2c4442c63d8e78f59ba0d87ba1
SHA512ae75e72dff58557b1bc69dd57526801b77f1e349935ae4e6f94caaf81323630b76b0664e781adaee31d6f8157214b992f6cfb11ab14283fb8b1c287eb57e24da
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exeFilesize
1.8MB
MD5e42d7829fd2f57d1af71262a2771b282
SHA17ebb02d5389b8f6a5ac340c2456b61378a8fa9a1
SHA2562d7ed238cfc14ec949e2b96af7e1cd034b7418e792d5e44fd3145790a5fd88c9
SHA512926257c138b4890c60e06cd062b887024bd248d68226780a47f3ca987aa05153ba89cf807fbd6407c85165af4357df30ef7e582a0ccf942c565c660501d0f94a
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.6MB
MD56de5c1c6675baf023a42081471d22bfe
SHA18f22a76c5ffe6ea8df7412a05f397347dbd32035
SHA256bc484b4afde327db1d12f821ad7a0ba53c9a0fc1f779b782d17c9b3a85c22312
SHA512424f7b361da115a7b98475cc5f2781a4b626af4cdadd45420901c4ea43136e379ffe785c6e7915ac9623baf0ba49b04c8b9f66bb5b8441a4dcd88bae3d930767
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
581KB
MD5aa7d7b3d833dd1e52cef7d79cc208b0b
SHA165c852b00ef56d64d9cdffc27d71c991f7b21b77
SHA25613118f89e102e21d5f318f60a7c843ee6bb8bed694b1680b28b313183183840c
SHA5129fa2537252c34724249bc5ad7b12ef7936a23e55acd720b3a6e64aa5f821028698c988f91c0b4764ad2117ac60374e1c91a0b16595fee72b7d394b1d722824bb
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
581KB
MD587402a9901af80c868fee01976910e37
SHA190e7f940d43da6c7a7e19210149efc1ed75fb26a
SHA256c58686054d46e8a019c138733c837090f86e52624f11498c120b3e60166a2459
SHA512d8cb774ee95530f904ae25eeace95ba57a47ffacfe76d5b01b237e1af5e025afc85f0bdd711d23311219a1e6f1d13d9a86d86e2c881047f28d104ebe637a46a3
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
581KB
MD5b358f72a8395992f23431adc85924ff8
SHA16d1e049a52ceb6eda01bf805a56d34f6d9226a3f
SHA256c3c92453304dc149a092413ccc068fea5cc5eca1c656ffd800b82b7cb7ce69da
SHA5121e34ac73796ced1e5e30d7e5fb9dc05bbe6796361e917f33963b7669185ef4e236b1f3de63203a9e75c949d3e0dc8284e3d1ddfff4a65184afd77db1773e49d2
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
601KB
MD594d1342ee8c4fa5a8fbc2c185689fe04
SHA181886c5144a2c3ffbca683ca1e563cc811ffbd62
SHA256c039a5ac5bf6db16774191124679e5c53ac2e83957ace46038dbebcb56e192fa
SHA51241c1f46d000eef9ff877f50f92aa309e1d3b368bd14bb325af896155c35018079ea0913f3ffd237f0520c3d5a857ad0a8f49ca77151a2b618e10835cd817cf72
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
581KB
MD51389104220fed1e6b0d032f769214a33
SHA1c9ced4c92a9182eaddc5d6739337753c59c7cfe0
SHA2562c24e7fcc29f3867702b283f509ef186ac6777352d969a7304666db403beded2
SHA512ef4a704c071cf8850a3f18afd1cb7c7557750f3225bb220f73a5ea60466f92b4c660c3d2be3bb0ecb10658722627972c4cd966f0b43b277b6e9307325fcc32ad
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
581KB
MD56d62a42f26951beeddd4677ac17ce647
SHA1e7d5cd2a32aaa0696e4e85675b0acfc3a410c9d4
SHA25623e742cc05dca87556230cedbde6b6a74081a562e8b662bb8c2440aa6114ac4e
SHA51249906a1a70a50d9f98b727ac1ee86e50c1c8d26a0195e74aae1b76d2dc5fef9be9430cbb2c5349d8a3d4e097f0ae00014e17aa081e940e0338c9682a8e392fa4
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
581KB
MD587cd3d2c590fd3ef7bd32ea362f4e6cc
SHA1fffb76a49d0ad98e9cdebf33ac722f846f7f24d3
SHA2561b700982669bb7fe4b3259b610aa63e56ef78e782ccb2902f81b7e37b2a36885
SHA512835af0b95b9ecbb63b5c76aefc3ddd4156f686a31ec0532f8fe4c8231c37a12334974799f7c7144df91cff930912c78b5705bc3ef3030b3967fd28a4cf33cb27
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
841KB
MD51b2fd752cb12c4558e73b677f03e89f8
SHA12861d752ac7005c70d83702d52e56c783c51c294
SHA2564899713a90eef86ef4a19d78a9c095477507506dec6280ba68f77887b4c20317
SHA51236ef53daaf33c26025d322254fb4bfc5b9a34d1ec4a2f0819300f059a844f321e0da49bbc30c28840ade8bee98bf6817e5661fa0600372e70b65f85dbb7a34f3
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
581KB
MD5d25492ccf602d04a63bc6bdd5737e244
SHA13051ef97f4743a67010dae7bc09ef9e9dce9cf7d
SHA2560357dedfc46e2b0fd81df95f68122aeb6fefacd7a404d547166bc2595d28ebd0
SHA5127e2207440fa2e9826bb8c49a8b90b9567b1f8b3fd10b65ce30e19d13f1811f74f72fd9b99c4f3fba9d4327bb081d65d1e12b0b1c888817f47a0511da85309fef
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
581KB
MD5459c276961fd4709ad53c9eb117e0b15
SHA142838eb09ec41806130b022934cfc248c8846ec0
SHA256572907cf54eb89d741fb7d43ec1fd254d44a0a182db291ee9d8ced05ea92a31a
SHA5124c4228420092c7cb2a012b8de7ce1a4954721d390dbd1212584083919bd4799cbc542fcb28c4ac5b1019fcf7277ff26137f22856c8d5b7b71764d30e8e047bb7
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
717KB
MD56b3d581031cda5d34f82af1d622fe605
SHA1c373894c4703e05a768be54f7bf2d336c4e83cbd
SHA25697cc887f4275b34605c40acaf013ddd70a5bba1e0f49b16c6b1432383ebcd9b7
SHA51244222043ff7a3c5b1ed85e715a85456dc572ed9f8a07eed8a5a53131500ee2cf8c28a0b80df018c35082a814c66b30ffe3ceb6b8d45b4206416cc562a6caa674
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
581KB
MD50d1f080dad7d85dc84a9e5268b1661f3
SHA173ccaaadd3c20cac596d9aeae57ad2d42fba5665
SHA256aca1c527fe3f014d7e8aea8ca0b1d9cdfea9cbf62e7d81e2ca65cc69cd0cb319
SHA51289c25a219228352438cc02673172d0da23c4ae586fd5f22fac8e0bf2643de7fcd291576487239ecc77aea3c70eb28f7b5f514e1c00ef45df520d7872745bbf31
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
581KB
MD5420870c8f4927836474a3bc3971bcd27
SHA1d15478c5bc31280fed8de96a54e10f2ceecbcca5
SHA256a7e1748d0d32f2fc81ad93a23b3dc967656fcbb27e6eabab778a4f0826483ab7
SHA512dab75de6ca4fab0b860b4d52713e5b2784fe614a726d52bf044c9a29b0b33c0f1953da086f26f34ec746d1e23a85835af92090a34ddf6831379fac962b52f90b
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
717KB
MD5c352245cf616aba8e441df0a11103770
SHA1d53c9ee038f252d407bd8d6fc10008ce09a8cf86
SHA2562df7e71c0e3f2c5e1dda7370d2ac3061d50313c686e38bc17f634f07b6753ad7
SHA5127a00d9b40f0d709b5902e8dc67f32ad2ed7c162cfc6d586c44d59613ba808e4aa959165b6a5a39e92174cc5dc989b1ea0b8b59d9d6bf098c10ab8994b2d52533
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
841KB
MD5ddd988c64bb567d96d585a39225eb351
SHA1e9f7ff5f4219fde4665aa8b79ab25f1a079d30bf
SHA25663df0cd5a927669a5df4a353366e56c81b18e24f0869cecd1c0d28ec0f598071
SHA51258260178f50731fca86277504de37f85c969c167210b0c54575445c41a6f2e1a3ce22c870814eaf3b5989364b01f57334768896e4860ab116d063741d5d265a5
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1020KB
MD597ee1245b923738f6c32efcd258fd428
SHA18d0063dd4a05dd9cff7e6286dfb5d94d3c9a122c
SHA256c9dcfca7c0edc464d6761fed30dbbfd10a7e42b220493e5d55d29f45604b95cc
SHA512a0401647a58c4647c6ef87c516bbddd7c438b4adf9f537faa4f359f9cf761c54b53c308eca9d915bc7d6e5a13d0bee05b7f5166b397a625a3048be0306279630
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD506163f03f07077c8ffc25880ccc3e099
SHA1e6cd1853ca2455d99fc9e71f36e06a82cc9a0211
SHA2562eca5fb815c95f0f657f17718fb800684555b21a784775a3435f5c5c145e4988
SHA51218f4b3277fef9b8a9e9d43c4af9c6ce94f7df241ac7987213374472a10e20053105cae4a76a3ab8f9602de870b53745591927f1caa139341a217e05581913b4d
-
C:\Program Files\dotnet\dotnet.exeFilesize
701KB
MD5fcab73d055ebf7fe675dc55ab410f34a
SHA1e195423872f9e95606b6486e46c2af9a9b76a70e
SHA256086872b8096e35bef8cf7c332b241d580e4c2d87faa3bbf2753b2167c44b6c50
SHA512c2a6129e74238bda1c1764e9e0fdc4cb83477c2e52491bd04455493711f08881a790853008fa04a50cd5a60abd2bbee5b4ded50c1fdc472e95f224b5b24b4bb7
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD57c91c6458633d9de01b8a9dfb268e15b
SHA17802bcbbf67d45cebbe71d45edd52dbff6536622
SHA2566c0177e87a95d1732c2f67047b64dfc0e9e17d6e4679d37c8e41cfcd6798132a
SHA512655c1c8213acec45deda3f24153520999b2aaf462d2f9b50a42055bcf02f9670ba170779af6a4e82d3d96d1c2ffa0a170bb376799095b380c5fc389b808fb8b8
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5d73fbd7e13900422da39d5e3eac4af79
SHA1d312ac59ddd893f41ee013224c2d982adec8cd47
SHA256784167e91e99a6271a4792a768ef2d9e4e973543633110a60c5a98e866361fed
SHA51295e3335d5c43cf17438b6d078ff0f7f7df598825050f96313d45c789aeb60480dc667071c89720399769fe3430206ee43be3930259957b11fbbb6d96bf76804a
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD5bb0c649b3770f5b02636ed4fd2d690b6
SHA1cc1c1cbb4ef28e5bbbbd85a35fc3a8d74d70bd32
SHA25676bdda29063c1ffde2cec5bdd53f64003dd2e230abd29c90fa65ae7ad7baa061
SHA5128b2e8a78ab6d1b2bd95263c0a0750f8a7a9fa06d274a4bce73b9df251e52387ed70b6cd270c9caf22e19fb6ea81e773d88e2b4d281b91b69279ed5d51a634f88
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD58467a34c1bd4a28bf045604b089c4cc9
SHA1dcc2149220a00731081fcfc93b37200a756dba3c
SHA256ff58f06948fb780435136a0c58ae6ce34406f892b2f9b46c831cc7a863aa7251
SHA512aab90916afc7310fe704e4a0caac5988d82d397c7bcbc1443d82ef6f2111c34f86e8c0bfa02b3c0c10db3f1a1516474cdf6f077d4bb0c10f095c78c309f10d83
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD5f69f261f10d6b5375b1250499c8bdf41
SHA17625675b841465c21f548a0095500e511a93f24b
SHA2562ce412312cffee87acdbdcda678d55d3f78120caa4e483a6e2eaecee36c1f306
SHA512c991370bad7055c2b72d1bfd1866d0201ae980efbe681f4a4d13c398c8bcf5057726787713dfa3096a664a71a4f0cdb6b6c69925941eaa05fa3f567eac1ea887
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD58692005f8eaf55a05d0f20ffa3b80238
SHA134c71f8fe27a58cb5f01c2850e5593b8ab6c878c
SHA256b7d2930e1d5557cf86a5c7cf1ffc3680a00af9acedad3bdb4e97f936a3c5392c
SHA5127678208e16475b242b6064645c5f98ec814b503b9652c5f08a2b1c57a1b2b3ae3895b35369f8844dfc56b3a7a3c0115b11e398c76543f3f030a0be51c693739d
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD555d9be7835e9afe174094564a977a0f5
SHA17b5aaf2edebac1f0410d7a142a93ab701875559b
SHA2566848e47b93ecb0bf9bc02ec11115f4382cd890cbecae5c1bc299dca1409cc229
SHA5121265f0140dc7d5ed416e424657db62c6c6508b036e2a557e924eedf0d31c2abbca8abb0aec639c4fa91ea34c6109a674cf47d2db500e9511a243646b7e1c4988
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5d3576aff27c3d4b63421c4e9d74fcb21
SHA1fac5dafe3dcc772a3bb367df47f2ee20f10502c1
SHA256a5b69720e250ee67aab52ae15d4338ac1357d26501d7b7dd8b1533d9358c8382
SHA512c65ba9d279f20a0376650ca0f3b862f2f47d565ecc7596c86c6a0661c2e2a2cd9fa3b1fd9675d291f96ddbb3df439c8db2f4ec90cbafd692abff9ed98c19ccb1
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5835959854afaae6aa445bb579443946f
SHA199a7baba9ba77b655e2518019bfd74cf9e073763
SHA25631901e312b3b8e524ecffd07123a86030738340fbc5bbcdc0bef2f08e7ec08fd
SHA51258a156b8916809f6f5d8e0211bc412cc2229db8c935aacd80167a4f8153ba910cbdd1caa250ffb29c4b489af8c2366118061189c605b35940126500d179fd3e5
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5601ce98594cb048da25e0b4efb0edeb7
SHA1587a7a3be81c21b51512626d237ab7cf1e9ae91a
SHA2560744454b4a87af4a09d4ec4c7457bf99cd1da888d42ec178aee24ba1797bd762
SHA512b36ea0ebd97ca1bdd6d3a4028ef8250db040455284355bb9b7294a3a498e647f77c2c8684368fea506ad285729b5692b882429c205a6944247a4b8c71576e646
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD51f3363567f87d232ce5cffa0b8ecf332
SHA1d3e76784fa232229e23dd6eb8d6d11d2c9eb70ed
SHA2563356131e2032da96652a7372c7401d91169450728f26a56893536af03faa8267
SHA512fa0820b5c8e80420cf4fd6e38ea1f8196ff6dac42fd3a09f2360d39a0ac6b0489d0b670b16cc04947e0a8efa70586e26ab8b6a31f177ccd0f1d07ac63282a8be
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5223feb2ed1ab26b621e836941cd186d5
SHA1e2d054ffec7dc33d59057e6bf9f6b2f04098d0a8
SHA2560686a871e888f87967a8a10b8b4bb6d2b026caf36ae358850bb157763f2c9e71
SHA5125da870931b15b8b834b790a17ea1afa62aecc2e40fbdb25b71d7fb37f2455f4f2cbf67d04edf3f4938c62970c39cdbea0409ab3e8f5a09052ae171183572c0cf
-
C:\Windows\System32\alg.exeFilesize
661KB
MD5ea98821fae01df58b8b30f32a171da08
SHA1f1fa952b080c886096db02ec5ed03975338a9139
SHA256c1a44c7692af18a09aced267d3c97d7b25f5e668d4d30a01b903f354f5c67e53
SHA512aef9b29a37c545aae5354cc6b5bc4532f7a1c3b6f6d8fe092dca6c024e0b1b4bd44946b9013a0c6a273c7fef6b8b914f340a89e41e6e02e5b5848781dc5826c5
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD521c6f89e8886ac10ab1e96441f34298c
SHA1e5ad606c7ba0fa160dc3c8bf0cb1fcb8ae00f9f3
SHA2566a713c3d230ebe07065f68364e24d63ea1c1c402857178d6d4298d0cd22999f9
SHA51236fbf85a630be920353ed40a5ca70bee6925a39e759bfd833ca6c5c2d9c5215da705cbae39b40931d8774c1936790fccf8bd83eda7b8a4c764fec2d3d1007dbc
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD511cf56567a76b6789d85611438f6be2b
SHA1b8919472a5208b16d9c7c520d8e275b0c97de8c2
SHA256de12d7e3a069c42e418576bdaf9dc0cfd68cd09df1d195760e4d0f102681bc1f
SHA51216dcd0689bc14ea6677d3febde4643c5ecbd50d064ad8ab0d7c89ab708da44f31a332ff488c6f7782c83b6812e3e7efc77d15ff07b46cd024063a39014def85c
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD560be8ad1c83373746d8dd5c32eee9afb
SHA11b51f2c195be3f43b8fa1456f6b567639e4275db
SHA256972da2d299656c60737fc6bd58346c308fb710fbf5ba76e98d64aac07c74e1f3
SHA51268a9ce12cdfbaf5a356c2c2d40c009831ed32b68a54bd456de81043e2227391c85724026061110168c5d715c13dbad5683d401b28cbcfa7d859adf9af1be8c01
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD50282df9e808e25b3424953dc611edaf1
SHA1017de5130238b8e39ae216af8bb2acba4d076354
SHA256fca629d84c9ada940dd28d4148bfe0e20a0fe46ccd022160e58510313a857614
SHA512a3e60898416ccf4152cab1a586e77c6f5a808b84780936f8ce5a0a7d0b1a4a75cea6a1d554608371e2ef566bfbc140f14c1c660aa427b02bb81cdaa7e5f92872
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD55e58311a2d903b29a202d85a51d91dcc
SHA1eaafc30348922f749284889560d58b3a4269013d
SHA256f733e884a54da0a866406439fe3992fd9d51a0d2ccd5735da4083330fcd4469b
SHA512b96e08c1b54b98950b1602cb956f08737974451afc1819efe760c07ddf8e19aa2f6ab96d5ce24a15fbb7fa097334b0eb66de623359a25c3a34f093ab3d127ce8
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5a33a4efa8dcbb26aff0209b13e169e90
SHA141ec36fd490b8417b2d5ae181ef3b54158097b7e
SHA256a72e1116d91603e54f150662b810456e50a98ed1cb7c58c26c164f368e5de583
SHA5128d45b956dcf66a060a6e4a71ee0af8d9b170828b4443c1c57f1edc3a9b25ab33e83b297b02c2fe452572d8c05f80315c266d59bac692488bceab781d2284ac3e
-
C:\Windows\system32\SgrmBroker.exeFilesize
877KB
MD528a9c3689e92a4a6b8e8821ec868a4d9
SHA124e82f2bfb5f9bd5ca82339759c69515b85d5afc
SHA256912c4883c20fdf8709564133320e47508a799904699243278b8798b7bb30826d
SHA512af7d3406129ebdd00e0b6315ff12d7cf4dc0ab185cbb0e0cf23473dd33a72b0003bc9564b0fe5de428fcf3471587a050e6421ee21e670b818b3c3c497be7dd51
-
C:\Windows\system32\msiexec.exeFilesize
635KB
MD57bb66b1d2717277ac98091edf9feedb0
SHA18a937fcc90755d5644e09541b28a4ebc891db8f9
SHA25615b81100fc147e74f185a5725996c838428a2537cfff5b181f1dd57a062f7a22
SHA512564994661b75656b550c95688276d38763f66d4f876d3460d5c644993ac0bffcff6c8100c42347fa762d09454c80ceb39644a2b458602ae992d72599f6875cd7
-
memory/368-106-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/368-224-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/840-174-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/840-493-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/944-249-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/944-553-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/1244-20-0x00000000006C0000-0x0000000000720000-memory.dmpFilesize
384KB
-
memory/1244-18-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/1244-128-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/1244-19-0x00000000006C0000-0x0000000000720000-memory.dmpFilesize
384KB
-
memory/1244-12-0x00000000006C0000-0x0000000000720000-memory.dmpFilesize
384KB
-
memory/1300-555-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/1300-282-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/1484-225-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/1484-549-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/1576-552-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/1576-237-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/1724-236-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/1724-117-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/1800-547-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/1800-195-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/2884-35-0x00000000004C0000-0x0000000000520000-memory.dmpFilesize
384KB
-
memory/2884-34-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/2884-26-0x00000000004C0000-0x0000000000520000-memory.dmpFilesize
384KB
-
memory/2888-129-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2888-248-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/3028-260-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/3028-139-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/3060-281-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3060-150-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3060-546-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3168-59-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/3168-45-0x0000000000D70000-0x0000000000DD0000-memory.dmpFilesize
384KB
-
memory/3168-60-0x0000000000D70000-0x0000000000DD0000-memory.dmpFilesize
384KB
-
memory/3168-39-0x0000000000D70000-0x0000000000DD0000-memory.dmpFilesize
384KB
-
memory/3168-38-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/3204-210-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/3204-222-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/3456-61-0x0000000140000000-0x0000000140234000-memory.dmpFilesize
2.2MB
-
memory/3456-173-0x0000000140000000-0x0000000140234000-memory.dmpFilesize
2.2MB
-
memory/3456-57-0x0000000000D70000-0x0000000000DD0000-memory.dmpFilesize
384KB
-
memory/3764-198-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/3764-548-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/4124-209-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/4124-91-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/4124-92-0x0000000000770000-0x00000000007D0000-memory.dmpFilesize
384KB
-
memory/4292-444-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/4292-168-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/4572-554-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/4572-261-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/4784-0-0x0000000002300000-0x0000000002367000-memory.dmpFilesize
412KB
-
memory/4784-90-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4784-7-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4784-8-0x0000000002300000-0x0000000002367000-memory.dmpFilesize
412KB
-
memory/5064-186-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/5064-64-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/5064-70-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/5064-72-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/5076-87-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/5076-85-0x0000000001D10000-0x0000000001D70000-memory.dmpFilesize
384KB
-
memory/5076-75-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/5076-76-0x0000000001D10000-0x0000000001D70000-memory.dmpFilesize
384KB
-
memory/5076-82-0x0000000001D10000-0x0000000001D70000-memory.dmpFilesize
384KB