Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 10:04
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
-
Size
712KB
-
MD5
55b242a8af0055b1bf0f6352c15ba9cf
-
SHA1
45ee7a8cf5637cefe449a62c3806fd6c887926e1
-
SHA256
06daf177c30b62c34f58e0c003f9891ed803d0e3b3a862bbd6ddd155720a91c5
-
SHA512
7afdb67874267d097551913760c972aaf9e1dceddad465d9a6b17e053e947be659c8dbe3b54678924a98b0b769bf8b2f49af4092d8892837fe1e310cbb4acd44
-
SSDEEP
12288:etOw6BaDravfgGchah+H/cXy5YFSRNEaNZ2ONbQo2bzTWSaVVQtGLfHtVclBq+0B:w6BeaHsK+fM2jEaNZBqoeW7V6tGLfHt9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4272 alg.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 4960 fxssvc.exe 4176 elevation_service.exe 2340 elevation_service.exe 3444 maintenanceservice.exe 1732 msdtc.exe 620 OSE.EXE 4100 PerceptionSimulationService.exe 3984 perfhost.exe 4172 locator.exe 1516 SensorDataService.exe 3788 snmptrap.exe 4140 spectrum.exe 2012 ssh-agent.exe 1320 TieringEngineService.exe 876 AgentService.exe 2644 vds.exe 4368 vssvc.exe 2576 wbengine.exe 2872 WmiApSrv.exe 3624 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4ed3eedeaa61dacc.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d38d20735399da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eba24715399da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4c578735399da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f3e4725399da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dca3f5725399da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef4d55705399da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2753d705399da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000545f87705399da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exepid process 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe 2640 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeAuditPrivilege 4960 fxssvc.exe Token: SeRestorePrivilege 1320 TieringEngineService.exe Token: SeManageVolumePrivilege 1320 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 876 AgentService.exe Token: SeBackupPrivilege 4368 vssvc.exe Token: SeRestorePrivilege 4368 vssvc.exe Token: SeAuditPrivilege 4368 vssvc.exe Token: SeBackupPrivilege 2576 wbengine.exe Token: SeRestorePrivilege 2576 wbengine.exe Token: SeSecurityPrivilege 2576 wbengine.exe Token: 33 3624 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3624 SearchIndexer.exe Token: SeDebugPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeDebugPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeDebugPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeDebugPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeDebugPrivilege 2936 2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe Token: SeDebugPrivilege 2640 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3624 wrote to memory of 4816 3624 SearchIndexer.exe SearchProtocolHost.exe PID 3624 wrote to memory of 4816 3624 SearchIndexer.exe SearchProtocolHost.exe PID 3624 wrote to memory of 4424 3624 SearchIndexer.exe SearchFilterHost.exe PID 3624 wrote to memory of 4424 3624 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD5a26930cf826e59b18d168eb0c9f8f9ba
SHA1bfcbda4ed506ca110b47a8c25a05b1985ba71220
SHA2564a61e0622d95e99ad552cf09178ff15c9c77f9e62718df9ae4af8b25ee91e5be
SHA5127245b0fcf266b589a89dfdfb02ae78cd143cd760d49008654b6246a9b347f29698856551f94a64b4782fe63ef6c5d8df62efcd78a77e101458f8150f079e3f1b
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
789KB
MD53051fc83300e9f674f8c6ce45e84fa28
SHA1f39277c63713dfd455ed7a38c18fee3e632fbaf5
SHA256aa23898060b9f6befc0234475dcf6c54eeb9a5e969e5ab21e69a9a0b9210bbb0
SHA512bddcfb167caee94e481021e595d9069e8daa559678bd8281095b9749f9058be1a1493616a72e25ca2b032b0570129ce6a955e60a7efcba2ffd5abcaabe3941c8
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD534e87d9fd9a62813195cd7f73b2f9157
SHA1289308fd305661dd6fed524e7284868588735d57
SHA256b60e0e16211c15c42a197631cd4ac52b9cd703d05ddb9ce9ec84479493433882
SHA512ccd2ecb0b4b41ceb695907d6465bd9a913725c3d01d9f27cd4c18c44c61b5ac774af5a217ccd7a582e1abcbbd8bc05b6506954d8e07768a22559b43e1ee1b575
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD55d849b86afadf012564dfc7a88c424a4
SHA11dbf739036e83979f402ed6cce6222483ec7afd0
SHA25681af477c4b09dc8883510e156d48e5fcf82713a8ce9a89d2448005a7bf73b3d1
SHA51261a51437fc5065eebaced91e46092d8797442c677cde6bc9e918db379a2a7dbb604f3bb614bd8cb6feae663926fd5917969514345f7627bdcbcf40d328ac1683
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD5dffb800c39548426455133a3b48da04f
SHA1a34f9cadce8695f35322595351687d779e2a7063
SHA256c8eaa444adcb0708f43476f0981eb95dac8a3ffcefe5d0ec9f0a9b2f25bcb031
SHA5128c51886b662ab512bb12a596f9151dd09d6514fbfd8dc2c57046b89bc0f07ba2c1d8502e758237de2c2ea7db319249373d62ba6157fb52f19132c3fb46bfe585
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
582KB
MD5d0d08be517b10adb4abf9825462b70e5
SHA12f18474076c918912796d442f8579f4d44ea2b99
SHA256fcb16af33dbe1b51b92c05c93e98e87e52f5d4b596ca190aa66df30c33ce8258
SHA512879083705bda02f806cd46e8a4ea1d684b67bc3f61a0a0a2fb6849abbfcad497b0e6183945b35f2cca70ad9aeaaa47baa9c52858257ea471a973e5cb6f29a6c6
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
840KB
MD5453084d91579db5b09ed3b51c436d368
SHA1927c78ac18b1fcc394e7a720bba287f2bde2914e
SHA25613c15743015fe27fedfc4ad408c7190e614110c1fd40894c75cc1000ec0be34e
SHA512ac4172373c3933aad0b7de07d62aebf7a36bcb4a7ad449d0203ed0bc3a878aaf7e10fff55ad916499cb4e5ec99a12c90c5258cfce9189ef03a86b4e4d23f8df7
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD5b7edb2b842774b3123cab7f039d9bdfb
SHA10b0d17cc6bb3c51b903b1056e44be2e64ba0a147
SHA2569dada7bf5c2e411587a635d9f879fab482c72241d3652b7c889388ed208312b7
SHA5127fb919c4f220f674ddadad94a72a1207593681159bb0f173c8bbf2f59edd5ee13fc18315899c24028274e3ef85d2c4d8d774ec2e1982d3bf0ce5f74951ba8f9a
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
910KB
MD5ecc9b132a7b0a4c512d713ab3602f7d8
SHA16ef7bbfb4bc7b0877fa336a7388a51c375c85fa8
SHA2563015ff2df0eff87e6b3012fc4b19c121a052bd2aac6cf967b4dcd8fe4c7372c5
SHA5125fae66da0943f53ce5e606725d00dcdf877cb604770da9fa2939b19975bdb448f524f9c50c4a5be8fba07e25875f74801b488697728482377dec43a73e45e490
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD55c4e5e3a8830d83f2dcc2fab724ae53d
SHA1ab87e43ce466f5c543b98ec1d6cb9eccf2357298
SHA256bf47f41ce916bacc7a86894b19c0cd3fec968d353425ae4d691a337fcebeb6a3
SHA5123c46d480fff0cb69665cbb6e6b42a4bbbfa220a770b470e3ddad8abf6b0f83d075b86760f12d17ecbd5aa66d3890d70e0746136e6256666fc2b290644ae9b03c
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD5fdc713a8023ed21ba2ad518d9d340fd1
SHA1505d4842caafae4e733c7087171edf290b6273c5
SHA2561b237291913608b4cd840a380b92ea19abc7dba588fcd8e3cc2da6a525cfb99f
SHA51251e51ab64665c6f9c5ac967ec465fea519be83b40d3e75d103028862d4f93476858711374a424e1098104af15e84d9d6ee3ba35773bff23fd40ef276e188715c
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD5eef1709f5e8a9bbb23b99728b22b2306
SHA125db192db32e4fa0cc6a00d216a185e708455089
SHA2568bbf52d3f8c6e3f06c4e49478c6e47efb2a61f03fa31272e911d1b2beea4c296
SHA51228ea2e7a00be8e2d8565c410ba2ce9b66c84f8c964846837f14f2ee1584377463a75371724e5edc35de0265297265fac1bb5340e024f823da1366e9af24ea711
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD5aa1f1d00cdbd228d093a47c29a28fb6c
SHA17800d2c3e03ba7d9bd5d3964efe46e2301043429
SHA25602c6095d767e6c4b834b359cabfa7d5b0f67e8500bd4f068337736ccabfbe300
SHA51291060295b0f8da426266d3efce5d9a178f49b48b0ed93a6f6a20ee13d373980a2ac02cea35c4e7d5b3ea9c52258a801e68c1350b39697f1f1c577b4f6f6588d5
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
656KB
MD58c89f5074adae285bc3699a0e02d290f
SHA1500f0982c8f2269cd28a7a4e585f0a97e6b5e182
SHA256077cf375abbc2775d1260ff09dece0173ef290b33e1fe931e820ef3f5cc86d1c
SHA5124a9edee62cca47893512ca94a280cad018d433563993573c85770e32320e00c4a872ad74d5db685f50fe76a6ca247b20378d0e3310d5a0ce299cd5218e4363d9
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exeFilesize
4.6MB
MD56dc407da0cf9888b6dc5fd371844c3d8
SHA1f70bc8dfae2a538abc412e1047fffa492764ecef
SHA256075ea40ff8cb70b431e7f976cbbbde75de68224a59ecc26f03dfa07d1aaa1691
SHA51201e3019688ba1fbcc0e08d6b28261bc1e3fac50b97df17dfdeb844002f8f85c4cd0103c6dfc64b4f9416842a16d7bb0b373fdaba0a337e25c422dc5cdba0335c
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exeFilesize
4.6MB
MD5f24c28f4f12d0763b45547114e43b754
SHA1e674869a51ea718a3cce90df00fb9fed41e8008e
SHA2560e2f690362536b722da3544f3ccde50984ca4b187a07f62b16b022936a246733
SHA512bf627dff027bf6769a4f58c66c946eec043cc17ca129d2128c51c9966c9d368b6fdfbcc5bae4c8b5fa1315c4f60ad1a127e094eba43229b859d41236209c02a0
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exeFilesize
1.9MB
MD52b0fe9f8dafc736f7ca93642a4d012cc
SHA161a71b7e526e3bb4835c097fa9d3b25d483002bc
SHA25664c4fb9218a2e9f6641957d50c2ab8a60e9c368256848434536cd44bee86dbb4
SHA5124d2bde2955233b5feefaf75f56ba9dc3cb427e63147d753b6c6e712fa7fad9f9518e40882f8452842f6a85df0057f7783ae95c7a62828976f1146f906c1ceb69
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exeFilesize
2.1MB
MD5e41d184ab7bcde25ed88cf97328edcfd
SHA1e94b1fc64887c24c346b3636bb4b53b548ded9ca
SHA256f7b6fcd50bd7cfbe4a4b182a4987f1e78b65709fdc6086e1ea114ea8cdd3ca3d
SHA512a8b67428bec93572ea4c8e39c65b5a6152b4d664c471baac95554b94545f39a45dafaa85bb9033f8271d636aa7adba4c629706fde771341a8e2a81de59b0a8ab
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exeFilesize
1.8MB
MD5cd727be10d55bca5d249828f8a784fc7
SHA196119ed232f42646abc4a2098e8db0273203b2c6
SHA256e5b3d019aa6c320d729fe98d02a846b67c9bf8a165c40d51468c6840e3ca9d41
SHA512661fdda7918edb630f4a9b41d31d437ee9a32e2e6db51c5cbd913d206bd901496f7424d0313b5e8c54f5fece1737d4d3564e633fb254deb459e20f0b9da05e63
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.6MB
MD59a94033508347745978b262bb84e19d2
SHA1e1667a84103a0404bc7adb6d686fa66675b0c6d2
SHA25672da42e266e9337cc911ac8ad5995b1d48a534b3eef65f87113a9fcfdabfa20b
SHA5127a2f7b97f6791ae286fec1aeec2ccfc490381770c19350023f85eaa56147917ca1a1c70d014fbeca061e955e9d75e7782c4db256c2fbff5df1e62594d2767408
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
581KB
MD5e2a1e66e90238857852b5bd8b2b59cb4
SHA1111fe0afeb078a897568e511aeb98ea8eeccce94
SHA256b897c817b5c8c2de296cd8d94f679a8f623c9d755bf185147cf90cda86bb3a52
SHA512dca6cf4f83370ec4e1ff6f8dc3bf59e2858a9dc9168ff176efcbc9bee1b9ed3ea1db03d897d84d047a2128882841f2666934b071c2b60640211c25685781bb15
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
581KB
MD56d5069bc48ae71770cfcf9c7c6773815
SHA1955ae2afee70a2df779387c5b1439c438afd0d44
SHA256a297373ef0d04f58e0aeef0866f899e164e7616e3115ff75d74cbc4c82ab8d8d
SHA512fb4c5e7bd92aa0bbefccd2eaf1d895cef595c838036cfd6040fe4934f1fc48b0756c8497f217ff69b9b038a91d4cdab955a67096b10121d5c61c7c6dd69d1939
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
581KB
MD57a3a4e001b12ffdfe7ca331228c721b4
SHA1a81afcada18488086a924c1b6c13a709ee5377c6
SHA25699b0db10109be61d88f31722a7a180202533873b26690ae7283ab20a47f21a45
SHA5121b4534521d9484a2b6ef086e495946d8e7c6ce473d034ddc93f37a1407d5790382aa64ecc22687bcbf648f08c6e2946071c365a3326ffb8314e93a675efb9783
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
601KB
MD5eeb4e52c5aa76a4d4305ff921a122248
SHA183d872eabf501bfabe97fe34c3fad0e14dd3220f
SHA256a2153c7ede72304cd3bb478fc766e2539eb9ca0a616100712896450a5df262af
SHA512a95f1c26d2972940dcc57bc4a87051583ae3f1e1a458dadd1cc2bc0aa4572e500d0f1757e4c74da0794701bbf745b02ddf16c1eefb7a983e9f55c89831939522
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
581KB
MD56cae219bbe02d15c0f0c7dfbbd16f78a
SHA1a0e6ea330e503ccb99c0a2f49fa6bd161576e386
SHA2560a8388b7064027ae6b2259841467b84146ad23a7dcb91e66edde5636579bb083
SHA51296c0314d0a1ba31a545091115954461283074a3a2912026bfc18ebf3464ae24697e39cff1a8fe1c9fb543825689b2c2dfbaaadcd15c912a96488dad56709be88
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
581KB
MD5bf77c26e1423157d50da21b93d31b0a9
SHA10bb4944510620ab75019c1cc78233f201f152299
SHA2563bee0b388aaf0b5a4185e91f9f182aeb76bf173924656a4f62312180788f21be
SHA5127d14381fe868cee41f45ebc2d203c563f6061a8558d3492b5d816c7805c28c8b9dd39e86e58fb1a6c154b02186e529006af58e408ba70eb46ab369fe1e421781
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
581KB
MD53dd5a50bf65f3f3241c1ff47277153a2
SHA1a32e40f2560354b8b99b6f040d95e8bb50a7074f
SHA256cef44f99c28abf3ab1d32975d63395d1efa1f3bec950272697c1a7e488353d8f
SHA512b5a25f453566575aa870b0c404b645578df5e2c691dd6a3ebfd43dafdda8a44dab394ffd70c07c3e8ca54c73976f3bc314dcca116c6d91786d4db653dc79e5ff
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
841KB
MD5bceab496631e3eb5e950bd2ecc7c7229
SHA190a7cbea0d1fea6cbc2ba0b70e7be2b9c94fd165
SHA2566a555395cb0551250c7059e2cd558c39b00bbb80fd5679fd2e00a49ca80de167
SHA512f0d62dc4e20d68a67db08755972c2df7e52afa8ac4f07ff9f2add1a14ad34a1a320b9a27f1863f81c0e90a68f1f1e123e62aa6ec6899bcc168743bdd79d644e0
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
581KB
MD5c5e7043508149eaf43a53c5332cd61aa
SHA1c0f69f69b068f397fb4768d722765267f5263dc0
SHA2562a8001be28f3f9659cd58e44474c8c395370d7dbb5e27993d177623f8e307338
SHA5121b9fe8dafd54d6aca8f921f69889a36c478d9c249807aed0d6bdfa41a02f3b0833f747d5444f628a74c887a2dae44b8adea8a1ab079e26625896f2dfb8585496
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
581KB
MD526d5080c850d863c7330af515400a7cf
SHA10c8cb08fcc96b108eac68db9761d15e9fe78665c
SHA2566749ac8c63b4c094224f3b3fc8d10ff92511fc8f1beca4a04d0d48d6648a7b95
SHA512300006d7181750d5e2b84f23e2dfccb2a5229f80143bcb851fcbd21441ac22930cb9472c11a29a9fb85a9104de1dc94c6c8cd64c2608a27e82bb49b9e6c74cbd
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
717KB
MD5125fb61488a6630715db1362693afbeb
SHA127fae6905624dbff3d6c35060567c1554fd68900
SHA256506167f861d9d8563c238fad8b23e774e6500748f69a55ab96404c88a83fedf6
SHA51205e676b3a327715a26461c3c5b351d7ffd2a41943189d07b8195aa5ae9f7783c21cbee10cdb81406beb69bd51204b6396dc80a5d162fa03d2f302f7cc2686418
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
581KB
MD50f8be3d7cdce3bbeb54673c4b193a8ef
SHA1b1bfdcc5e1801568bbf27c27be5a60a44563dda0
SHA256e144e3ebd40f90f87669c2863fb015f2c66e809d587cad47161002ac1f50e705
SHA5122abb8f41d7ed231ca95de36257ab6d96b6d59ab793e9165710f0b031c80ba170eb2c6034da7089955947c910e3fe2a49bfd403eaa86297e01e6565116b75ff46
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
581KB
MD531f87c32d25cfb1000b2703bb50bc306
SHA10af53a3047f1cac320f5f56cb9167c9f3d512866
SHA25629b54ab5f5ac6f2c44dc4e340dc273d7ee6a1218db25a6d7bc05a47962625831
SHA512982686e7c24bd621c7e28110417e25b3c77c1b9cce09539eb29910df8e12eb82a4646972202638fd797f0bfa72047c7597686eed120c9eb744068c05aa4a6cb8
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
717KB
MD54d3ad4083180450b6c61a356070fa296
SHA11d42105b7b5eeca19132923792373a10fcf99a95
SHA256b8e2dd4cc98bbb9b5396de81301dbb7e0cc473d436d02cf43fc4e3e8ea5a5c0d
SHA5122dfdc2c446c8ad8cefb187b94681d6cdbe17e989853bf69b01d6d520eab22a8af75bee5dd02c6c5c04f2a5bdeb52c0d3e0e126a9146f899e8bb4e247e071b695
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
841KB
MD50ba4d4615fed86ff660621cbd5615da7
SHA17b4fafa58c8877a54312147a4f8b7a54416cc086
SHA256f2491809c652484af461c19b7bbea8989e9dd6b4da5dc8f1000b66b3afa88b0b
SHA512696d702027a17338b25ab9d673715afc8a1c5a97fa548530a19d2e2a4cb94604c82fae7607be8910ec72b49164e8efaba015ce98fd64e127298286a9d51bee65
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1020KB
MD59fcfdf9cdb81b4762ae8dafc33e1848a
SHA116b34412b6f91e68f0988ad651b41831dfec343c
SHA2562a3a7b202b970f16e5f9f98ed247596b8e2275fc7ec947e8331456faec5a880f
SHA512f12abedd7729b3c614061a7b94862d32154f0116af96ab4caf0f087de68c807f0dd09c044d9d18acd12f24fa8884722c2f12c29404d8dd488c68dbfefd31f85b
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD5edf8be7405f6c64eeddfdf099a762f33
SHA1e0143a533846c310bcd4037ee5a5b566e33b4331
SHA2563d61ab9eac67221609fdf07f1f38fe33cbca96b39f6b8d1fb5e58c68244f754c
SHA5127a19aeca494eadfa49278a4952ffe07ccd9074327410cddf9ba935172fd4c87d8e199a2b8c9bc9ff6154788f8c75a04f06feeb06a40ab52aa00b8516726e83ea
-
C:\Program Files\dotnet\dotnet.exeFilesize
701KB
MD52a825157cda14bbbd038d20801c03268
SHA1d9d77a9143ddbdae446d67d18c166cca1451a4a6
SHA256ab19ee03c7519bc81a553b23cc8625fa69f10738c2eb6e1eca3a7815bca0a5ba
SHA5126300fe0a39ad8e9c8f344ac324959e800f9efc0073e7ee02a1b3aa7f4bb0754e601d01380f492f3a3a436d1c5eab9ddc8eb26ff4690a727b57e7aa169d447272
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD5d3c3e5e2059d066d0bdcb1f97d799075
SHA1c8458b1d127f95b0c00b2828b31297a5392765cd
SHA2566fb4b856c24417b1f7744be122de8305c390049e57aa07b88a88f402da23cd06
SHA51261ce4d05fee3de58edb29b181c99eba33d147a3dbec13244d7047fde544280376c6fffe0158fe90e3f50de4d80727df079eaca430af7803dd6306ec894a129b5
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5f00c85c6f7e4904d6261ad18f8d4a216
SHA1dcb2fc0f577f3141a2789c701032b0651f92ae66
SHA256a0e47e374fb3444df18494847e36c53daca9df8de5ba82e12a424f4508a72bf5
SHA5127955ab6d8ec977581246a6ef2088d3a78f2cebb779ad5e96b963d6538bf0c758a6f1d6a840b2982d1a665dfd20a2d196e7aebc78a998ae3d10a6737218ccafaf
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD577f88d32dd2bb15ae7ecc252b2eb9148
SHA19268afcf3f52ded8b20efd375074c0c2c4adc169
SHA256f64fcc383a3190e2803c9f65b695d37d698eff7b52adea59c56874ed0b97f13c
SHA51200fc7acd6f21cc15152cbea8a805d718a7f0307b5b4b3ec5abefe85b99e95c977d541e241ad8ab3e1d791f042bc66dd232932f77fc13042a21e23b726f80c043
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD592b6a4c06569b09b2ca479da10f1720b
SHA1b9ae031486a0a64f8f8b64af0f32cf02dec4de63
SHA256e36a1179226755e67fce99a1c1753973bd27785c0522953086c77c3216fb351f
SHA512ba078afce62ed9f2f052eaf30fa69341268cc1b331944a8dc082bef31ebb0c8f76c264acf6f7a01b6b24eea68ee4441029b81781dfcd2dac8984a43a8fd7b17d
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD5d047c97513072c5ad285304c926007b0
SHA136e66ba6e7f110eb4040c8b0c7537aec7f450e9b
SHA256064dd5481f6a0b2afc86de01fabffc22444223d951b0ce3e4e3173d98947f5f2
SHA5125e54cdca728782ec5fa5d94d2ee5bdd5874dbe5840e04cab857447b63e7d953010869aaa8b1a5c77568baeede5f17b8d1468ae35066bcfac5e0a7840a2be5ac6
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD5472d549ab33e938e6793491455d13d16
SHA1c2146b2f139ff5ba833e0432ecd42fb988026250
SHA256da3f2749006f6843ba74cf329dc2d9b7f73ec338ba12e8ad11c323edcf787111
SHA512edfa677bd793c4c2e26d019c12b750243adeae19bb451b7fcc8925a16780115f860fe1d94e708e39a6dc9ed9c2086dcc5bd6668375b84614ffc06fb979e1692c
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD5ddefb3f2e69e03c8aec3683087380623
SHA1ab2e79e8e974cb0fff020d56ab1cde805bace76c
SHA25618a306207cba845d7a373bd562e3ca6535787ddf635fe84cfd9e82a4510f9f34
SHA512b22d5cf2a706d9b8f6b1a702b150d449ed41a3816a44ac53599c277d3614b6b7bb19ad212fe7c765ddb919fe1185a0f2084c6dedcd60f26172d5280eccf33bc4
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5384f71395febfac5e091fe8f0e97294e
SHA1c6e6380165b547c8c46dd0560a4d48a17b942220
SHA25624fed8ff13e5c9d84f987b04215669250e99dd75d05a30412ca61271535cdfc5
SHA5123da1957c8bd6111fb89cdd52cfbe59459c753a37b8dad6411e934e37a78f2185c3b613a20f43724cc0f135b658631816fe8ac09801d114e8f2105c9b63fbfabd
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD55e60a459da7b51cccdc0114162939fbd
SHA15e4af88ef8aeba51cd48b921afe110b5995bab16
SHA25600e768c8da56adb0089cf7cbb74d7f71f1ea99fa9faf9b55bd2526e7386c39e9
SHA512ad2f8e5bc9bd2815a5188445b98fd34542f7dbd1949cbc0b602fde06d618a375a08a7bd7e04d9c9732c2d15e8914476b3a825c4c0469cd7b45595e80998fcecd
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5224e7d758534bef91c60cf87e73f0012
SHA131c06afcf51a9db7dd8122508b29f9a77ffbb3e3
SHA2562037dd64431eddff7473bceabf330482e913525190eb328ededa4dfcb112d7fe
SHA51256b09f73830508ddccd3f156237a474b789f15c2af3de349f9b8fbd2da9c07dd0bbbac0ca045c1d63b3562c87c0f95a2150264b93040aee9fd395f710e3dd60c
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD50aa29a732f1eabd271f0985864956fde
SHA1a2a62fa418c24f88da7bd23e5aba558161324908
SHA256ef75247ddfc02aaf8756102d29de5ad7953b55966e4b7d9f589fcf6b2fb22359
SHA51207d71e93b2446677b64b0adf72448fc5a32b3bd8fe5e486b80f7ce1c692524fa93bbf8fb8bc2fa5d4d9ab606eaa02c4fb663da12e287a56342b8f3cf02177f81
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD579ffffcc1fdc681db6a897d0474519af
SHA10971bd15e7b8144d8c2b4dabbf4e6a2e43dc416d
SHA256935a9ce537a1308b7ca0230d45fa40f9203d80e5a734e710d501c53328fb9721
SHA512a89f9f5a3e4feea639bba36d53ad44cbd825c3545156a6474ba37ba2ce7ac909b5c541c0e062c79c3ff1261d812c9902f0a9e31da124098955eec648bfe01d7c
-
C:\Windows\System32\alg.exeFilesize
661KB
MD58602516ada40bf307d1c162ce2d3515b
SHA14a73b516bb04e82f0cacbc840c24231d8f39a466
SHA25651a9d0271460aba16b957fef4604c7a2a310fdb5fa8ef0ab42762b3f8e7e6209
SHA5122f5d58e8f5e8333ba77d919764c5ced323a861a86ade17a0e9cecc2919c0d49c88b51333db2decfa8904e39793d2c6346b1616a18eb649c912a56fe764f6d455
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD5321ca743d649c4ba6cd37ca9a76a96fd
SHA198f8fe6cb9fc3de8a5ae4ace3bc5d166e3e2dd87
SHA2566e76d7af0d621e83c362411fa5b595e21f2149fa48173b44008227451ff84ba3
SHA512df6c18dab11f385014a01daf11118bdd261333b5677b80fa86a0c787fec38cd4bc3d64fbd92a269635309b1cfeed751e37b417ef6322fbcca3c21b4e09add653
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD5edf6e9b08faf56f39d157d0bbb46090a
SHA1cd4a603c4cb2475507283827c8947290b289bb24
SHA2569f433c2b0ecb243be6cbb9db0b7388bdd932360f07bd864913f4150e4469d218
SHA512f391bd55b30f7258de0cfa77ff5c948844cdccccb911e32d76e518c9aad97e9114f8dac2942c2d36f84396a072ed75250825002362b6853d02c8f0dad139c1c1
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD59b23c142f64460fd9dcd8d3d92c4a0f9
SHA1df7f6cfede1f5044ab23973196214ed5b88398e8
SHA2560934523b74493f0773148699fa1a672d8b69b70f0ec7904519d83b986540cfc9
SHA51224b1f4d91c4b930037058ebee811c53ad6b72957810f1c17c26b9e071f9594b9655beb458c374089c9822e258ccb106e386eb05c130af2da1e971fe52ea4e462
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD50a988bfad0cfa1dba7b1c70b51a0ab22
SHA11ee0c4453815a4e339ac108f60033d904adc0e74
SHA256d08c4d3c770a5f50a79f6dbf07d15aef3d3947cdb01b6cd244ecaf3a11b0b9ae
SHA5124b5e69dd40c8709192f35189cc6bdb482b67dcde00b965fe60d83d1aa86f0d2bf68cbc3b1cbbc39572db4ee5769decda63a5cf9aa74e801b221e2a487777eb4a
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD55c875016941ebc10ab1eee2d36b1eb4f
SHA1738f2a6009da4267d30945aa6da4891797649ab3
SHA256e6adc9920035586cb863391bed2820ec2636116efdbbc40fdbfcbd8be3c8b15b
SHA512651e4b3364b41d0871d27cf936fe1f355c37ccfa19414e647fbe9c2234619532e70dfa09fec19f60dc67e5e9ad83db16508f7b8277d17ff55835b6bf79c65d73
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5d6bda28d55c72c8cffc37b9f1829378e
SHA1f6554455871187ee9d85e29716836811443c6706
SHA256f486993cad4db11db28ed80289b3613476b64a881ef27ebd17423e99b7a86bb4
SHA51247ed4a073795a24c25940143388c55b28050b874eafa37231ae98ad8acf8311d5c1dd8c4a187e6c57d1bc09fe8dcd156bf604db1cdddce32f520eca6a5dadf54
-
C:\Windows\system32\SgrmBroker.exeFilesize
877KB
MD583d9749bef2ab2305b9294036921b472
SHA1f4dd76e73d5bb6562865c94526d53eecd789e4d3
SHA256600460ec1c1ab67ecaa4e70270684571083e2cb5e5eeb4dd103e6089afe71aed
SHA512b522cd5f36c6b045dfd48ace411029da3a4cd2522c91c2734df63d5c4cf2c500ce16e1b80cc6286ac35bdb94bd8b815617ef55fa901a348bc899b2712a32cf7d
-
C:\Windows\system32\msiexec.exeFilesize
635KB
MD5c1c130021b03fb051bd6b5b5b5628191
SHA1a75edfc45585de742f644722eb8f01e83db67bfc
SHA256184bc63279eec7b71b8f9e42c633c51ecd929bb804cf6ede87d49ac053056c80
SHA512ccc0b3c98311eef3067d6e6a74c45887ae361bd1541bc07c445cf81b6d58467a47ed7b3194f34ae419ee7e43d1faa5516fa8819021d233d1c2df3b88f07d28ab
-
memory/620-74-0x00000000004F0000-0x0000000000550000-memory.dmpFilesize
384KB
-
memory/620-73-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/620-152-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/620-80-0x00000000004F0000-0x0000000000550000-memory.dmpFilesize
384KB
-
memory/876-150-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/1320-481-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/1320-145-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/1516-115-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1516-169-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1516-464-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1732-69-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/1732-149-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/2012-134-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/2012-461-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/2340-51-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/2340-133-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/2340-42-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/2340-48-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/2576-161-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/2576-486-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/2640-23-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/2640-24-0x00000000006A0000-0x0000000000700000-memory.dmpFilesize
384KB
-
memory/2640-15-0x00000000006A0000-0x0000000000700000-memory.dmpFilesize
384KB
-
memory/2644-482-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2644-153-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2872-487-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/2872-165-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/2936-87-0x0000000000400000-0x0000000000584000-memory.dmpFilesize
1.5MB
-
memory/2936-6-0x0000000000850000-0x00000000008B7000-memory.dmpFilesize
412KB
-
memory/2936-0-0x0000000000400000-0x0000000000584000-memory.dmpFilesize
1.5MB
-
memory/2936-1-0x0000000000850000-0x00000000008B7000-memory.dmpFilesize
412KB
-
memory/3444-61-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/3444-67-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/3444-53-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/3444-56-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/3444-64-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/3624-170-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3624-488-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3788-117-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/3984-100-0x00000000007C0000-0x0000000000827000-memory.dmpFilesize
412KB
-
memory/3984-160-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/3984-105-0x00000000007C0000-0x0000000000827000-memory.dmpFilesize
412KB
-
memory/3984-99-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4100-156-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/4100-88-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/4100-89-0x0000000000690000-0x00000000006F0000-memory.dmpFilesize
384KB
-
memory/4100-95-0x0000000000690000-0x00000000006F0000-memory.dmpFilesize
384KB
-
memory/4140-425-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4140-130-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4172-110-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/4172-164-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/4176-31-0x0000000000C50000-0x0000000000CB0000-memory.dmpFilesize
384KB
-
memory/4176-38-0x0000000000C50000-0x0000000000CB0000-memory.dmpFilesize
384KB
-
memory/4176-35-0x0000000140000000-0x0000000140234000-memory.dmpFilesize
2.2MB
-
memory/4176-120-0x0000000140000000-0x0000000140234000-memory.dmpFilesize
2.2MB
-
memory/4272-11-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/4272-109-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/4368-483-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4368-157-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4960-28-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4960-54-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB