Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe
-
Size
1.8MB
-
MD5
041fe4779101e41b619ee0aec34c02a2
-
SHA1
1b4885ede973712665cbf783162fce1f6746eef9
-
SHA256
5ea1fb400f4c14b19fbb4be1eecfa4a4dbc316163ac3d4990477f7f6a179f1cf
-
SHA512
4bfd2c05e01d4b525f7629d76f058df9485c75d96ded922e1d2c91af59679f15662dad224bf04ac7e463aa5f76e9d86c4b03ccf3b427641e06dc2b827aad1bcf
-
SSDEEP
49152:GE19+ApwXk1QE1RzsEQPaxHNuDmg27RnWGj:L93wXmoKGD527BWG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3764 alg.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 2280 fxssvc.exe 2616 elevation_service.exe 3104 elevation_service.exe 2056 maintenanceservice.exe 212 msdtc.exe 3108 OSE.EXE 216 PerceptionSimulationService.exe 484 perfhost.exe 3288 locator.exe 4268 SensorDataService.exe 2172 snmptrap.exe 364 spectrum.exe 3472 ssh-agent.exe 2884 TieringEngineService.exe 836 AgentService.exe 4936 vds.exe 3648 vssvc.exe 3248 wbengine.exe 1488 WmiApSrv.exe 3740 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ca91e4c2c3136770.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c8e8846f1adda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003eaf6545f1adda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022c09745f1adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb564f46f1adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000157f1846f1adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090605745f1adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exepid process 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe 1516 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeAuditPrivilege 2280 fxssvc.exe Token: SeRestorePrivilege 2884 TieringEngineService.exe Token: SeManageVolumePrivilege 2884 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 836 AgentService.exe Token: SeBackupPrivilege 3648 vssvc.exe Token: SeRestorePrivilege 3648 vssvc.exe Token: SeAuditPrivilege 3648 vssvc.exe Token: SeBackupPrivilege 3248 wbengine.exe Token: SeRestorePrivilege 3248 wbengine.exe Token: SeSecurityPrivilege 3248 wbengine.exe Token: 33 3740 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3740 SearchIndexer.exe Token: SeDebugPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeDebugPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeDebugPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeDebugPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeDebugPrivilege 4576 2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe Token: SeDebugPrivilege 1516 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3740 wrote to memory of 1124 3740 SearchIndexer.exe SearchProtocolHost.exe PID 3740 wrote to memory of 1124 3740 SearchIndexer.exe SearchProtocolHost.exe PID 3740 wrote to memory of 4736 3740 SearchIndexer.exe SearchFilterHost.exe PID 3740 wrote to memory of 4736 3740 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_041fe4779101e41b619ee0aec34c02a2_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3764
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3360
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2616
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3104
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:212
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3108
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:216
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:484
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3288
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2172
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:364
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1788
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4936
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1488
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1124 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD5bac4b49b5be65b751017750d4f5ce2e3
SHA12345a801e9bf95558aedc2d6f0f67ec41d81e8a9
SHA2561bd9911afbe6889c2fdb548f9304385e6e8d2ab3060940f6b167eea931b98c49
SHA51239101de57285b51cd8d88ba311b889e6b6e944372b5c3c162f54c29a5e5f2af0956791dec0ccff08124038952fbe2746b3b15051d46a9bbb94d9160efdafb892
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
797KB
MD547860ef95331d73c1841ff17d6906a5f
SHA15d89c99a89ab45b6745b88426c83ecb5455fd4d4
SHA256a2081a19f095351fd6c21017e9a3bdb38a47660564470712d28bd3d7c5ee22d5
SHA5123060381489c21477d68bd3d1c2eb4457735ffb3645ebd581527543938f11a5a7a537fb755330409f31f4d15089309c5281495317048cb4661eec087e8b06d8c8
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD5780b2a243d6a05759d62828dceb21f99
SHA12c0581708029e2af154c2de2dcb2b653b433d839
SHA2568394c6dd54dc72ff0b7757592894958debbaa7d2531f35640c9e3864c7d525ed
SHA51209a50cbb3ed9de39addbdb516fa7eb3b7492bcf6fcc38956ede0e2179bb5afc00341d3ed7b069da2a684cfd1a81262c7d1d4416c0aec8e63f9c2fa1d6236025e
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD558e720ab9f280646adf3c20a09b96630
SHA1a46c16f87361a5139e46d1818ca09aa51278732b
SHA25628312e5ee53a6b6cf99542f365743d39e429e241704b4afff7a3d515d0d88162
SHA5123dd54bac9713a5d57406344653212dadf14acf74c4514f7fe33d4d8d058cdfaa4d1d67211eba1d745576ef0438ed5b20a3e0975ada5244f779ca1ebc4a177c54
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD55d5088c0767631f30cfc39c2e6ce6136
SHA179502e96ace3399659a02881c84542de3bb2b30a
SHA25689255f6649e0fb7759efa95519916b59c10ce0d08de6e22037e6d0f4e44cc2fb
SHA5125527e9c9521ad78bc59344bf896421fdea3a655fa8c22ebd87bb8e3df2c0485fbe64fc156f1d3710538b1bb73a02febffa8f16f03cc6ca15e603db21b3e9d8c3
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
582KB
MD5a1d282c5d8a1b3de7671aca281b0b1ba
SHA17291afcc69872f8edfaca6e5ade4744245993732
SHA2563d3e4cd0836105acf7b4bcfd803d7848ac77521d2463a6a48a7ad9002fef8763
SHA51256451961f0e165fc825e3076c75bb58c4b0760556c7cb49dc8a5940b5bbf4cff71113758d1580275497799e2371fa71e78790722ee076e8072201249f7ac6922
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
840KB
MD5457961699859f301a46323f8de7c1ed0
SHA1e794651025d314cc9899f65e9e857f0e9d5e0960
SHA256abf4aec7b367b54579699792dc486b859c559f0a2e402799d2a62e1ca9f06b0b
SHA512e95493b55b9dd7989e3817a3389858ab7db90e823370e55f2e4a836d9b887183a2292dab7e1cc8f4cd338a581122cc18612695462a2f80ad7508e70d0114e104
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD52ba59e319716f3cd99640ba717a9a76f
SHA1ee9da699c3542bf6205bec4e732dcf73f58abe3f
SHA256d89379d50ee458ec4e79aad6ea765d0c94ade766e82f4f37a5e723c17ab18511
SHA51209fe1305b171dea6b2b5eacfb560c1475598340a26c23a0fa28a1df6cc87cdcdff089cdbbd5d444ef0c61b1e81edf5a1d144572252dfe73dd632ed61dbcf7fa0
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
910KB
MD5610eedbd2ca7b77b2d7dcc896af61d76
SHA1a7b5c3f602ab5af7006d74ed12eee846999c9172
SHA256acc0ee01df424473e1fbf190a381393f8c086f88fd9b710890188b27ffb11ef9
SHA5124750aa6540445f13f7ef1de548e516a640220d3cbc817ba2a58b185a6b0c7e60969825dcf796c0bd9a76bae6bd11a90c05a7b0d38c8e20c64a30d1290347c0e1
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD5dcbdbaef7c650e1f2f9c6775287702fb
SHA1e9ebdc4d1edcafdfbc7175959dd0c2245d1bf390
SHA256542d9d41ece39a623f916e7d687deac26f66800e3cc5dd24d274bcd322dedd0d
SHA51295c57f10526a14b85f25fce880d2bda348096f3ab7517b3f1ca122a82e0443ef23e3ec074135ae2baa00d1ff13df862257c57d36601801895c5116c68d88ab63
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD55e0ad0639d1b2ea1c2608e99ed2c8faa
SHA1c1bcab3326c784075f3251f591dab76d8069f41d
SHA2567a75666694f68b333c7691674302045d7e3ab56396020d5f5c60ed8f56e1619c
SHA512c374d07551bd58a327447219f4d0167effbb3b9b15df3015842172c3aa1be39d83991bab8644f6db4dc612ff2e854d910b3b61f52f0323bd421e16f936d92797
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD5adfcd4e6ef6aeca5444e46bf2154096d
SHA17062d8fe2db3c8ccaf6f3624ecd5d819dd868fdb
SHA256af6276e6100563963495ce078d47ed41c70b032ddbf31219f143218d3fb74224
SHA512f14a0aaa5cec66610ac67fb77dbf8b5dc80f6698ade15df384198806963a1ebbc7d7d8250c70572de7599dacbc9aa6783d49a7dba58d25b105345d89490cbcaf
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD55209f458cb4e8efe555118933f549227
SHA1a8b826907a63a935ae53c38ba744538f874aed7d
SHA256d722496d5c7967327beecb27bf46bf6e5d073db4af829bfc9ac69e5c14e704a9
SHA512d5e7a93f2e6f019bafaa2d9916b4d9742e861f1b1de9686cc196eaf83d47cc3f698eb91498b3e168bee9fe2f48a6bd7224d3fd4f619fb682530a3b2f57a225f3
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
656KB
MD5e0cb421fb9ed0e47a2ce8c8a24bd0753
SHA128c6e1bb5a51a2619176f4c3679a18121d4eee15
SHA2565af5d676a965093d8cc8bb8fcaf72bb64be624bcb97dcc862d5558bbd7e26fec
SHA5129e26a11b31f0f2d398762a01efb334f867e17266e39eafe1de6ba141f51836031c32721f8d5fbe98b744c394a7356fa7963a74198735ac4ec3531d2603065bb9
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD511ba2bddbc9ccd5ea00d9bea0681d9a5
SHA12c638a374652a33ae9196cdb07e62d83844182b2
SHA256947443282f6d1df1d16d0bfe54aa5c5e8a367063ff4196507d22a1cade6ce63f
SHA5125b96a6de921f2abc6673106f3f97015789aceeb4d94d9ff85af0d7cce7da47ff9639f6eada80f7b5b4878fbad1a79a97295799d7e6ac9e2a3fc60fdd24ee4987
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exeFilesize
5.4MB
MD5566d96b529dbe0c597609f91caf66f76
SHA1e2b59fd86eddb8b76f028773ffc2f8087ac6b152
SHA25633412e9a1666dc27fa021b0a815af233b922d69ae773b1f794e474450d3f8555
SHA5122f2a3c7250286723d8fe3efb8b9ede1b8e078d68206af457a2323e0d2e706d0eba3e801c81d9d62e19ecfaa10e1f4efb85272d0544219df0f9d81b27a71b9d7a
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exeFilesize
2.0MB
MD50e5ee3789d1ded5d6b570960648f954c
SHA10cd0c48254c678851de4357371fb8358f35cbf22
SHA25607655343ec426c5a38a9b611d5b53a2ad2aa04cb290789deb6d0ee47f0bee6a4
SHA51275667427ca0f4d9858caf5f298163b550226bca48fbbaa5785274ac88b21e23e8f48a5e4c9fcea689795d0eb0edbfb5fa92085c10a6ff2197a549b86e046b7e8
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD523ed2483720cf2210337530a60d385d8
SHA1a3201218a03bfca2003c89a209ca2d5f4e3bd96c
SHA2560a2250cc69568309874c28ba9e0e5e89c6b0a1f8366c62f3cfde7ae3416a98dd
SHA512548aed6a3290bae53aa3bf9306088a3ed13b5147f157888dc4df3173219e21255db23f3fc0a2808d1fa6d0ad3a7eb00a5f34b9513b034ecd3ef0505b3998ca72
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exeFilesize
1.8MB
MD5060024e451c6792099af477af905e913
SHA1b98d6c7eb830e19edcc09b885877d1cf00a8a684
SHA256bef3ff22dbbd567a7b0e6d9f9813274a1065c86cc34b21b0c44fa13018dc0cca
SHA5128cd95384ec134e888847952f5c0ab2161958008fbaa93205dbcde3c1e5a86610df216196608ff8eab483c9ce5a4611c50501029f00919475e384ffb6bea1e26d
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.7MB
MD5abbe590f029bc8afac7f87aa997c07a1
SHA153288b59985683d004946b97abe77a48d6b0eae2
SHA256f89e9095289f95b68aafc60aaf2975ee6f280e4bb0ebe8045d72adb53915f496
SHA51284c74f8c3e22934a9025478ae5c44f3f98bb9ca33954cc1c6f3ba29514774b64a6223c46a06ce441f0faba95bbac21a9ef5209ad0e5515ed78903dda7e8b4582
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
581KB
MD51182db41d9a233bcd4b40b5ad6712bd2
SHA1c210f58efd72990e0f283c6afdb27dad47f9b1b8
SHA256e660190961f736ac5b99d20181bac91626eb599f6517b80f904d3ddd81fb7958
SHA512ce044a6c75cc48d4436bf4b4398c4f93292c4a48df9147d39fe45c3870bff64694e79e8e3fd4d85687b50613d1ccae79abc0fcb9e5e181195e1825307179ea1d
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
581KB
MD55f1cb51d86ff6864571844bf5e2ca8ed
SHA1233bfdb6173d3e42854f6c8ba6b76fc5f3091edd
SHA25618e1c4f4389d2e6643d43b81647312e4d07396f444354c8ee63da4a4f2c762b8
SHA512a271f1959c67b89c3df2a5e4ae127685e3f7ebf1671cdd383004afc0f332e2c31fa470ec85cf065ea882cfa9a65cc4a5c877275f2a669f1374784a99e06ed0b0
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
581KB
MD51f408a8892aef5a9f66ffc6237eabb47
SHA1250beeb680e6da58238c97cc5b8170075b0646d8
SHA256ebc672df5049033b659ea119ae376f22a33b520843917624cd4c40d077931c98
SHA512071d4d21bfde4786fa957703773e59f8d9871b4a80f8f01473b8886c7bf88fa6116d196e3c48982c7927a95e0c005cc60e5b3f1e60c4d63805f7447287721e48
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
601KB
MD58cdab8c2317ee4d4e6ab88221db3471e
SHA1f608e5a1c70e579dbd9fd3d7da6e9359adf6d344
SHA256bf082a685f599e33ad4f183f6cc8c287d2f0449e828f1b32de2a24c96936bfcd
SHA5129a7c820b873f0f37b4d8073a08bd84bffa8f13b49e22cf43aacdc745dbe2c19843598b85ae6714dc161fc4c289bc462d9582a422806bd60fe548e31271f259d9
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
581KB
MD5db4467b5655daf5e14915fb323b66275
SHA172efd63293d54ef4f53873ce12682e2d46f82392
SHA25636a09c3069c8e12a7d7b45919b001bcf1a10557504c4881e45ca2152b27420bd
SHA51231e2cc46eedc780471b382ca6e01e815792e3f8d32696f28f74d537f2c9b9a78173c2c5a282afb971733fdcb62a57cc171c07e4f8434df7202fdd2ab78b0ae71
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
581KB
MD5ce5b5ffc8ec355937675011b888b9934
SHA11c1ac7e2a67925a5aac3507a81ae3ef5bbd7ed14
SHA25612a7775140497d6cb1bae841b733ffbf8a98b77496def1fc124ef97d5421425a
SHA5124e80cad384538a5742aa532aabf3b4d58684c99c3bf60f2c31a8df734b3f8354eb2c5274e124c6d7f66dee0fa225e0162eef71b2a6463d1fee6be318f66430b3
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
581KB
MD5816060e504cc78d24550229cf7fa5096
SHA19cb87a924ccdb374b0251b48a5b0a3df734c222d
SHA256bd3efb2f620f693ea2bf95c102d89d8ac0552e8bb5fa4591fb442a8f441d75e3
SHA5123836313609b6bdad8be9055d833b2a0b9fa2c809836d173ca3c7d95fb5df0b28b215f02331ed500f8566306a65e30b190ad3d1482b2f170ef8bf236a40d60114
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
841KB
MD57881d1c1399349dbf80d76bc06ed6b34
SHA11f508a5952eae5f1599835fe2d05cccd6dad6b96
SHA256c5539958c4fc14d95fc01b4e7dfdc317d1783800c65174e37fea5439fe10f1d5
SHA5120aa3012cd505ebc75d1ac2bb5ebc928226809df344be46989c4f696b345c63819b7b014e6c345ca19f3e9acb6103cc1e4977cd707957bdc0d236011fb22200a0
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
581KB
MD577c0c58bc1e791c74bbc9785822630fb
SHA16aef9957a7af25a64b130269183ac9c7dc37a7bd
SHA256ed38e8f95c12e3f18a1975edaa801680057a8bad4b23f4b87295682deb725f47
SHA512282c3bb22802092019951129bedb281fef6eab2c64042532bbdbacf9174299eb7d26e0680bf49e6eff95cc5d66f2091174dbbc3eca695dfdc84fe4f3091c4590
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
581KB
MD5c26ce6a93d29371907a60f61d777984b
SHA10edccc2eaeef9a03b798229e2e24906bd37f6da0
SHA256aa047db4062578167e0a64c41c07c551dcb620ad9775ceb9b4bb71ef96bc774d
SHA5123f7b7260d408c15e81d3d784b274b3fdae8cfb23d760c92166494a865ec0a21c62ee4ecaf9681de585638b958a2c149f7f0f4029b3fcfb275956fa8f54bb730f
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
717KB
MD533cebc5aa90221dc0dd1865a1e4b5612
SHA1a63a807b120976cfb250cf6e4c874da48f071744
SHA256360799d91dbf4f6592b845dce1d0653def818640eb96dec98bd29c5844c7837b
SHA51256ed3f087581a4d87685de432567e8322cb32967973f00b5430574b63b89c1fe9d32a29d9d4709c61b135a4f8400d71a40dde5b9c2c7e90a9c21a3c4543bf401
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
581KB
MD551e5074fa09e723ee24de74596980a3a
SHA150935112d00bd1221504eeb8eb9607e6a31f52ff
SHA256f69a1257b7488a4deef343ce4308bc44c30c0ac4c1625a585ace9708e0a463c0
SHA512a77fc79c7fd29b26e39bc87f8355e602d4a69e286a4c0b7aab20fe558426ec133ebd9037deae0d67eb94283484f320bcd85a24d71e02ee73523aaaa280d6f26c
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
581KB
MD555f05d9ee0b1ad12f3003e5e6b796c0f
SHA1c1a954da51c22a73b7418066d0c1972ef40aa787
SHA2561b11313f7e44c4e9c82c2d6cd9b3b31976e682defd2928a9a6d2b8e6d26b2924
SHA512154b21af19ae895614803a519516d0558542e84747b778c66bbae78492162dcf719a1351452e68274bc02f74e34cedff106d83d79baad049f320782b4f2a640e
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
717KB
MD5e3defd975b566363a821d0873e8706a0
SHA13faac3e5abb185d147676b5895a4d2461b0ef10b
SHA256b9e96cccec4ed7e4cc9e11fbbbef9499cc7bfffb13b2ef55c1811a59af5e17b4
SHA512d83341a878e50aed5d038de8d91f430f2950d84683e8e017eb1f25c84ab83777d0cee642013030dec9bdf373da4dad2a705fd6826e6c01853a1b3b3e7623d726
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
841KB
MD59e4019c74c813578d1cd33191f36b487
SHA13dab2d44b5b47cd2c548e664afdb42b3a1dd411c
SHA256ef43684bdf8cd1c293e54db038940684756a0892a248d084e769340dd60de0b3
SHA51253d4868969cbed187021fb321caef855a40c8bf80f906bd4616937dccc94a34ce83ebdc174bf158ce2a9b2d6cbd7dd2e76b28df7115324206f25aa3996226051
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1020KB
MD50423bf923313026bd71124b279a31699
SHA120bd73b2f4fed199535e2576544fd429aa819185
SHA256b68cd4f15f482e66253efbf23c3a288f2adbca23ca716dc49c89612402f9d971
SHA512215408cbf47a826337006a6aa67ec8707900f76c5da598e3e044feef11b14dd58f81cd02404d1a0f68edd89a872aee1151584c76606a7c8ceb4d5fff62968bc5
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD5f7397c8b49dca93f71a07a85a4fad4d4
SHA1bf04db30d2477ff575dfdeb531d26c0a9976ba13
SHA256bc262ab76420ed6d8bc7b0e974c85c84db955944e5fa9fa2c2c4acfe00f2f719
SHA51233a4b891fd6dff1521c8d49cfdd8a11c8805bc4a5ecad3c85ba0620c1cd8f696e0c3625e4a2e41ddd657bf59383434439863788abac496ff9ed852d3130a7526
-
C:\Program Files\dotnet\dotnet.exeFilesize
701KB
MD5a8437ee6f92e214f850bb1b0429ba0f1
SHA1e8c66340f9abf8a0cf3dea581311320dfb886e2b
SHA2564d60cfce2fa6e4fb50497592709f69af012dca929f0042bc1dc3b4a60d196cbb
SHA5129cb8187908c6e3addaa962d13833008c6ba8bef128d39373060a5c0a2574c1c9b5b73940ab2d4dc08f4dbd461df526954540781beb71c3ae00962d7ad00c7d0f
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD57d8cd953b3d61254bf9dece1df6edc71
SHA1f0823f9b0804f6b536b4d8f930a355d9a5f6fad1
SHA2567f693e2fc3a5839a7b9df5f277dfb6646f61899a5c81f2199230b767db52dc19
SHA5124c5329c0fc9b4dd72a61c99af3e2ca4475d05058cf46a53392c829d0b397d96567da0d8a2fe6ff6d87c6f65f3d1fe756305cdb5dedd2f217b5a8a399fd706e94
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5c2588bb8d583e25cbb0db3b997e4958d
SHA1336fb51e3122764b8d5f32bc59ce4b2dc745252b
SHA256266b63e900a2e2594560db0911e89fda151e5fdb4deaca83541028e4f76d626c
SHA512ff3121746cb015fa792c98fb250870c0919bab11008ef314747cccf9a3bad83220409a7b1b8092a46e90b1e61c605c346d4a818cb1111f878db24290b4b87ab2
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD5290a0ea62d362cc3b9299affd37fd07e
SHA11cfac188de05b701cf5b48b02561cea4d9b45b64
SHA2569548ceed6777d6b573830b5fd965d6c09539560c9e9dfe427be989d3dabf3b8c
SHA5124b34eaec9d9fc7d4a9fc13ded4d02d44d4cf32e00afe915fa78cc54a54e32b080965ba2862155769f833724bce6d087ae9e40d6ebcf2169c16df8e9b60008e56
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD52f7f6cd346aa240ee9679410f104d05e
SHA1f5c119ba945437a2d0afe557ca6ebc6203d8f1f3
SHA2567c541a52b4bd8b5f098d34a27952471c872d128d0d799b504a44e0866f3ffc20
SHA51233e52acfc2e13534fe2efd41899b14cbf430a6d7328a902acd1ddab7a9767221384acd3a1ca5383f536714b0f5c4f6d5a630e95156e69c2bb68da642d7f4248d
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD5690e4106c2c32501258313a33bf0a131
SHA14da207b9a6e9746eb8f70af2b1b457949a0e228a
SHA256618b070fcdbeb22340571a08c83010682215aa4fea6e55cec7a06a5e369a0397
SHA512c4225dad777d8565e4ed82d2d218b3e786b08b3af159501b6946f966421a478f0b6be46206cf80e11b18883c1db4307cabcb553ffa07731cdc2daae8457428c6
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD5874e56efb6e7a946ae11dbdb499e4e90
SHA1d1f555bae9865f33de7ed6140eb227032bcde176
SHA256d3c444095ca1ab8a32ae309ca6617d1a1fff5b3d18a8a518241f5fc14296d2e9
SHA51255afc698bfc1bb0bb1664dbaf9bbd8fd88a47f19194fe76904484e7ce43f2aa7b04edf81cfc776d1f7b53ab58a02fd85ff9f4a01407d5ee7f9e4af4b2db2a9bf
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD53b1426a301cdc4cf5ec2f002007b0588
SHA1afd0f40f98a0494ff1fa5f0823aee02839e09063
SHA256c22e41cdbab844908fdf9f908a771888780c32a8366e7803b80e5a6b6a05d05d
SHA512dad8897169ba4b2b7543698b19639a0ea3be06ed01077d4caf731c63324316757d7c2d196308183c0aab1ebb18b154ba6d22fc8d8e43b1c5532a32d1ab6bcf5c
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD559de9ed5add849ad8f1fcb08304b379f
SHA1d7b5844fa8e880a21ee229040d8e362f27cbb26a
SHA256422c8f769febc9996e206fbd24d1ad689903d1ffa936cd68324c705a6549883e
SHA5123ebd3fbbc0b6b04c9fe6629beeb2ec1c0fd2df2da0ba4fc54d4906366e7ca894c07ac122a2e209a162082e585a8b526f46692546afd7a14a677a3cba1fca9766
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5fa9e948725c005398ba76ce1ffe92046
SHA1a1093cd5e6e9d21928427af45ed4a4b66a760f62
SHA2568d0ff2e4c54a9b3c52491b8b88377b2617f5c45623b4a0d96d852c8908a23bad
SHA5120214ab443b63d238c4aca633af22695ce718fdf146271eed21df913bc78b75948c48266d36598c3a49b8e591230713b7806918bf512f1dc317b57f3fcb3cd8ff
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5033043e3d24d0f7269a3cacefd057b49
SHA1551d7e1c38fc261f2237743a9c2dda4e0c7a2591
SHA256cc0a66d414877615458d13a6a88943473bf4cc04a40e3efcad7a1bb98a7e5f3a
SHA51287782bcd01be44cc076c832eda1beaf11028ac84db8ad2eeb5a7faaf2f171a7cf42a7b3601c51bdf38e45d853261b01e5575f68e91402079773d96ef14edc592
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD52208f531aea94cec38403e0a1cd213a4
SHA1367b4443e156d1afcc8bc6eabf13ffe142d24a04
SHA256101dc6ca1bd5782816dc85cbc71b1e7b102371ca53a23068551c76c3c4208802
SHA512fb8d8fd994e6c683eae2de34fb0e674ec45759dde0720cc0810de8bbe7081e05566014567bf8a5c336f613e4b5fbef66aa3968713abad85b0923014592a9f821
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5d8179ae6fb02e71314671e6864bc898d
SHA19b07254274bb6edbc7dd456a27f2726b98571c03
SHA25647f99ba1bc37005f4fc5007f3012477ddf0548cf0abbd5b2fdc4fc08d5a225e5
SHA512f3cf8e9f57bc13ed249e01d352dbc75da65e7fed443b991d6d863724975774ca9378638d4cbb2a41e8661378bf95f7daeb0c567c7c4aacb2838ae5e51bedb7fd
-
C:\Windows\System32\alg.exeFilesize
661KB
MD5e9d3c677aa9a1bfb9eb96a49f000464a
SHA136d564f2b79e347fbe8023794e2a4e1adbca6597
SHA25641205d7455df8193b0d25ea057f8b5d885d487c5f9f7d9b8f52e11f74017ef38
SHA5123d3734103ce4d79ac21149f22a2ae8edce320d87ff143afb621ee324f500cceceba37531edcd986f2147a1ba7ef3ba71fe934de32bb7e380d3b68a41d0872ecb
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD5d35ddbcd1bb79874c4578bcd8a55e5d4
SHA126de0ccb998d6fe59b388189c8e0a86089594e94
SHA256d0a26f241fe5f369f1c18c06ae390c17a1aeb843663ca72845b1690b5e029144
SHA512584219d4bd1f5d1ad03ab291990d795b056c107784d5550d34a3bfbd8e705ba39115da480ec1d3a310d39bafc9bd2315f30b4d68029143882427351905aad325
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD503c810e4f1744e5a95100af422c9af4d
SHA12f50479ed7595cc7ecdb52d97b831f66c06c756a
SHA256426edb6bb7f0ad6763ad5361432a9ce42fdc16467ac6b97985a2c4b7f60f2c75
SHA51238a68da32e66f402d85b9995167ea3de17cc2e49e79cfe6ff3dfc4d02894e609242e58e756faafe7a4a1f35d2c62649eae894014bb1492438bac0e0492f60aba
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD538d60816b78d67d429128465cd20ed30
SHA191237c810cf919416f567349364840fd72e8036c
SHA25656f89d20512a094c29d30c883ec0962cf52ad7e80d231bef4b0f98bec3d681df
SHA512549452c90f3e7c95f0336f8784684aedf3f6508c179dbbadd3f764b591eee13fb9f8280d641eae91d42ec2606868ff0dcc80e048e6fb1c657a3b1d8d0132501c
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD54a9ac7b4ac82e45ef637efdc6295a8d4
SHA12e4b5796be1a123137228d8fdee1ce5e8c4eed5b
SHA2561f487549d6952050a3a9c3199e2ea86446e437d48a8b26e7a83a02d5713e56bc
SHA5122542dcff2ad5c67fc7981efe5f9e63f29911923f35e3e30c87c2acfb4c79cf4afb8007763b12e5053ee4ef05576d89248b559a935a668840658a22a246f9da0e
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD539a272f10f7fda195c4597c21394e668
SHA126c2e3de209c356230c160d4d8b28a815fc8bfc4
SHA256af57df52066bb589c2887488feaf39988f55c5d090655bd016efa37c11d41671
SHA5129d95c251cc33d2585012bb25a532a68ad564dcf99467ee4a5e4ef72f2c86f352b03f7d432a279b422aba971a408a9c321754f03dd526bedfd4d35578b83cce36
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5b3a4a6288458f6fb2493afcc4944417b
SHA106a447e51472ab620332cf9ee83a44639d5793a2
SHA256387b2a04f91a28f8d9886aa75b0cb89a99055fd88d58f28083d98485da71f751
SHA51267280edd5cfbb75149bb6267819bc49db4c8b646f6551cade7550a1e3051b587e4dc181c3b7b23eba9e9b4e39f9a8c4f20e995b2276760f0b5a4c8e5b92d9def
-
C:\Windows\system32\SgrmBroker.exeFilesize
877KB
MD51a95f83e3d96b0091ca96792249e528a
SHA1cc5a6dd76e8f3ec40aaa585a0b1f3f8873402719
SHA25687508129c6a7eb80bbc0d401ac9b6c1bde0bfcfc09d5fe980e4b07381db2c20b
SHA5124468c02315b6fdd88c0d481f9d15490109bd64277d75e18c92e18b672aa0f82e314b3bf17cdd15e6a971ebe3adc06aaa71bb2136cce4485f8feda48d5eaaec79
-
C:\Windows\system32\msiexec.exeFilesize
635KB
MD5f6b66cee7509f8a9c560ccf352320948
SHA16a97c0a2b7adc50bc2f4f96b65c735633add92d8
SHA25644ea38d8e1f4ad62f85b453d90da04cebd6cf1aad4f3d3d000fb16586f6c5727
SHA51266f885ebb4ce48e05a4bb8b17856ce5712c9cec7a1e3a0c47481e19d8cbfbbc697706a79d30240fc719d5442b2a697e5536fae5b33f9dd1e1286ca281130cd44
-
memory/212-81-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/216-85-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/216-156-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/216-92-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/364-376-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/364-129-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/484-99-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/484-160-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/484-100-0x00000000006A0000-0x0000000000707000-memory.dmpFilesize
412KB
-
memory/484-105-0x00000000006A0000-0x0000000000707000-memory.dmpFilesize
412KB
-
memory/836-151-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/836-150-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/1488-164-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/1488-487-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/1516-23-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/1516-16-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/1516-22-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/1516-21-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/1516-110-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/2056-61-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/2056-54-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/2056-55-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/2056-67-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/2056-65-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/2172-118-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/2280-28-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/2280-41-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/2616-32-0x0000000000DB0000-0x0000000000E10000-memory.dmpFilesize
384KB
-
memory/2616-133-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2616-38-0x0000000000DB0000-0x0000000000E10000-memory.dmpFilesize
384KB
-
memory/2616-31-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2884-146-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/2884-481-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/3104-49-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/3104-145-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/3104-43-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/3104-50-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/3108-72-0x00000000007C0000-0x0000000000820000-memory.dmpFilesize
384KB
-
memory/3108-82-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/3108-78-0x00000000007C0000-0x0000000000820000-memory.dmpFilesize
384KB
-
memory/3248-161-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/3248-486-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/3288-111-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/3472-458-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/3472-134-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/3648-157-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/3648-483-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/3740-169-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3740-488-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3764-12-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/3764-109-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/4268-168-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4268-381-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4268-116-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4576-0-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4576-84-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4576-6-0x0000000002310000-0x0000000002377000-memory.dmpFilesize
412KB
-
memory/4576-1-0x0000000002310000-0x0000000002377000-memory.dmpFilesize
412KB
-
memory/4936-482-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/4936-153-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB