Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe
-
Size
1.8MB
-
MD5
dc2086fa3c393b4e5f7189bf90bd6d55
-
SHA1
6ad347cf0ee17811c5c549b176e694dc0fb75fdd
-
SHA256
24bceb02eb8433fb61bb7833e98c8dd9da1fb3884c33b0dfb505a99607e34685
-
SHA512
fbf0bb2a37454ce4ea9f5353d0e692791db670922424abfbc6dd5155d417182c83fa20b27945c26f55ad2b18924827ce22c00052360bf2158076296f1e3c584e
-
SSDEEP
49152:JE19+ApwXk1QE1RzsEQPaxHNt65RjUV2Vo:693wXmoKl65tUV
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2460 alg.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 452 fxssvc.exe 1288 elevation_service.exe 5428 elevation_service.exe 4932 maintenanceservice.exe 1492 msdtc.exe 3612 OSE.EXE 3156 PerceptionSimulationService.exe 3716 perfhost.exe 4912 locator.exe 5420 SensorDataService.exe 5740 snmptrap.exe 3632 spectrum.exe 2980 ssh-agent.exe 660 TieringEngineService.exe 2436 AgentService.exe 784 vds.exe 2920 vssvc.exe 3648 wbengine.exe 6068 WmiApSrv.exe 5220 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ded9aa94bb5459c0.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000985933100faeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008880750e0faeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000491d920e0faeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0e3770e0faeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000282560e0faeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e353280f0faeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d2a210f0faeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3d1450e0faeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c53d0f0faeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d643b0f0faeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exepid process 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe 4500 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 676 676 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeAuditPrivilege 452 fxssvc.exe Token: SeRestorePrivilege 660 TieringEngineService.exe Token: SeManageVolumePrivilege 660 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2436 AgentService.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeBackupPrivilege 3648 wbengine.exe Token: SeRestorePrivilege 3648 wbengine.exe Token: SeSecurityPrivilege 3648 wbengine.exe Token: 33 5220 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5220 SearchIndexer.exe Token: SeDebugPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeDebugPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeDebugPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeDebugPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeDebugPrivilege 4672 2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe Token: SeDebugPrivilege 4500 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 5220 wrote to memory of 2064 5220 SearchIndexer.exe SearchProtocolHost.exe PID 5220 wrote to memory of 2064 5220 SearchIndexer.exe SearchProtocolHost.exe PID 5220 wrote to memory of 1512 5220 SearchIndexer.exe SearchFilterHost.exe PID 5220 wrote to memory of 1512 5220 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_dc2086fa3c393b4e5f7189bf90bd6d55_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD5a7ea533147597c81e44327984d5bb116
SHA1599a1026d9050cf9233c1261e174340f8cbff4a4
SHA256a08ac0e091db5b4b878c3300b6dd16cabb87a78e2ca304730b8bcc8213c6a7ee
SHA512db725b98492dbda176a3f2deaf0a1ceade799fe0b1767d9ca93d41d69064d18dd2c79ccd44edad04419a51c54438c901f089c9c01c204ed77973d36709b46dc6
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
797KB
MD52481dd5bc07a97f3daf86097ef3da3d0
SHA112bb4c7e74325a8ccd00c3088f3c7aded4c7858b
SHA25642f7d70263adcebfd0f4db49896f7cfe34504952997276e8471e2c8df1d51fbf
SHA51297e235c6b865a6fe95b9bb0033558835fe158a745ff1f923746f63a5fcf9e4ae4208d8bccaf23312645f2720c16b8a0e806abe99130232cdc19750870d296484
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD5b0f485adfe6f09439dc52de2a04cd5de
SHA1b736c9686767153ab4fb88b382b3288913820685
SHA256cde965e55e05c807a0f2b54c224245f2599fc27fbaf67a836d0280f1bb9ccb3a
SHA512fd78b72b77963c8c4e54c2aa994a12dffa1db6ddb134e2a367f091dfbf63dbf99a132a388fb90e0faae4acfbaabfbc862d436b08556c217b1908db9315e61cd8
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD5548a7a696e7058202beeb3af754161ba
SHA1a1e594a02a2ef0faec6c9242ee15ed56be4126da
SHA256f7515e1455b959c90dad751dec3dc3371b23fb58d739b3969a2d7f273cd3310e
SHA512e04f229d1256f971abb8c1893d2a24557824323314be25b3e053c7785e0d2b52ad7d2fa61f0c5701d51d9a02f2c61923e034746306aa36c09d1b9235e96bb361
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD5bf7e1c881f3a9606dc42b8d4227d151d
SHA1cfa341c5f02913f7c751d673aca8f8c4a66fa039
SHA2562da984b5092232d9ee06152115c2af271b5e5937c63c8647da46a1ce267a92c2
SHA512c84ca335e08ceb895a976190c272c38938a32740550286c00b9a6afcca22ec1aab6c90a8d15cd36f5ec8698b3d537127a4ed15e53af1153d63b95f9e166a6a9a
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
582KB
MD5cbdcfc6b63dabc93906035b87288c28e
SHA10150e8312b2114baaf1b3a84978af87694763210
SHA2563a29d571993ea70a7a7a46f104c29bca81032cced5b3436c87e7b8c8b957d511
SHA51223951306d6f26e72a0d8da8b80b008530b67c97cfdf55525046e75d8edcda6771f3feea39ef0132cf2082124fceaccdb59d2061d330fe49e4d2fad2292d01f7f
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
840KB
MD5e40c1db5a196915b5027ec2806bc8473
SHA1f4ad8c707bc1cf699cc1ce8e941a23aacbb6f725
SHA256e1d8269ddee18b6831c065920665086eb36e255ec5ab95423bcafb1a6bae8957
SHA51289435436124806302fd22592ee3e15d978b7d0b84f19f03e6aeea90890499f0323b6c7af533efb06f360cd41a440fe0cfeae6e760585f7f3132d4c03455290d9
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD51cc60e239aca760930278372fb1b3acc
SHA1ad36a411de8ff7c6fae90711d7e54044ebebf2f5
SHA256c665e1de90d7292fdc5e7494283bc1e8cf9d7aae94203263dca4d2d802f25bbb
SHA512404aa56cd682e44292953c1aee5bd9ade42a46a051102161862081e0c01c5c3676f57b67724988de96a72e623b998331d4122d784fc6f918e17b89d5ca79c869
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
910KB
MD57ffcc09063f5fa1a8e6a3fb1151d98d1
SHA15843bead544b6df9bc64010464cc832f57f1ada6
SHA256586b6c7a77b56a1a2aa70198654867c51e7693c847e69d59a6775317ec2345b2
SHA512d52eedfac35520520f1012e8ea0c1dbbd208aab94068b1794d13160537935d788376f3fa9813a52355c01a93e624a04875a5725a267b9baed40618cefcfc5f66
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD56ced735fcf248472f796174a40e2ac0e
SHA11fa42511b01094c3bf4de81b2471771d29ecd275
SHA256eaa37fe643f22cd0a5f28a85eba0836c24232fccf5a784928e6e60631b8e9f53
SHA5129b966afcac12cd2e770b2b5c0b4713e2513dae330c4dc31889a008906c20dfb61c479b5eac5e34461fb1039b40f74259d77381949178f81f2bb1af384f1e7fef
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD5ae9b8ea47d13b9317a5038c080a9d317
SHA1b669048ca5b31fa2c6282e511c907beda0c20e3f
SHA256fcf2373363ea15ed2e99a36bd89ec5280addaa469baff225668ae8cfc38ed3c5
SHA512b8c71eba9fa528cc336397993ba58ebcb3024dd7e81300fcf96d95341fdfeae27e889c5cd5acd6882b32929bfbdfc8b4186f69c9fb95415a32399e4db03092b1
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD5e61ca54ad950b392bc19b30c5b3333ec
SHA1c1d7ae352ab3c4f251e0e64f22e99ba22f6d53de
SHA256b390db12d1b36b75b45a220e5aa8458e28841f79814fc3c2446b92f6ac15e334
SHA5128ea1725afd51d8cd2cc576ef8e6487c3f27d9f1d423a7b30c091edcf0eae2ddb8ad452cfd4b07646279a87d1fc7088c472232b81bdb33a5a4633a5b2a580129e
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD5442b75a19d0a16b99d6d8258af056d1b
SHA1b63c078430af3075cc4b2ab38ebe0f751bb42eaf
SHA256528272ac715c573038b4dccc536cca2eb16c8c90b9fcca0203551898675e803d
SHA51279016d681e0e0e22a2b99fef58f9ccff6276cec981c084640ab6805f3d42d4145abf7b866f764bf7b4f20ad7a2ca6452da1d2015f244d5f7f414fab9f7196f90
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
656KB
MD57e2b231424a063a8515461b5eabc1bde
SHA1a70ec6c8fd5e000ff0a378c79aeb4073faf1ead3
SHA256c60a430c40459d81546d8d3be6d8a38e838dd0f6f5bd930a873d13d1bc8f22b6
SHA5121b04b3a76f5b9819a627a93a708347d2a02f7c345616f3d22a2319ac43da1c83633b1bae6a26e9d74fd38dbd03243ebbb73cf46b21d40b4109107836bbe969eb
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD59dfa3fdf1acd3d09c1ad6016735abb75
SHA1e22b71106a17b0719cd1aed85ab251ab79ad8683
SHA25643981e8ffdbf49c6a64e57721c3e282311494b275391a127ad1970e3b4223549
SHA5123e68c72e2ed72ada8b824df6c1b20a58a5a0f6595d5023c56eb9ae78babf3756847b027ac5ef5041ebe105a77b8b2721d0266c9a44e06a59e5f70ca57c8722b8
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exeFilesize
5.4MB
MD509fb08106d421767eae7c78e18eead1c
SHA1c6ec8686fd770dfbdad56cb46058f48216602bde
SHA256681df968b08362a43e3b5febb72667d80ea2a97a841b5cae21259de90f02cc73
SHA51271fd71944be40c3c02bd6d31bfea191fea82052863476b4a6e17c1273ff3edfe0602cc400c2e90541fc438acd3653831c1c9d193e5fa8b179ba68df55b04afd1
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exeFilesize
2.0MB
MD5b560927130b9737977ca42953fd106dc
SHA1f173bd17ea169f6311b625d710620e0b2aecc512
SHA2565806000fe210a1cf6989cb4632e08a709c44feca05f833ae30bd7f0b3e82ff1a
SHA5129ac391ffa170ef8c11359ddd4c109e600062e68f3f16848865d060b92d5a103e23b1fcca8f224b83ef4ff0d862d510f7971cd5d9a94b5cde0435b3e4100634e1
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD5ef55818aa0c37f492ece577e535a859e
SHA1c70ef7ddba034ff01fd215f5b3cc4c2e8cd867b2
SHA25672338e7804a4b535b2783ceb4ac9572e99007fed9a63fd480b75dbfb6c39bc82
SHA512c45b4ca20395678a36ec8e2b576f502b78d0ef5385713d5d4cf1e3123481b6821dd6481f57acba9d264d2eb4caf8767da5cc2a37e0badadaedb187b26ffbec94
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exeFilesize
1.8MB
MD558a990f1c9a5db1a3bb510edc74c5025
SHA1eac68e43ac0a5c5c92b04271666eb1b3fad0ad4e
SHA2567416f0596fbffaa1b3c06ba6101885c8448f7eefcabfe83ad0cb83adea5fc5b5
SHA5122c6d6f63fde5517944fa718c5049cfb65971c16cb208682df1d265bf79b11256005f606b8cee76bcd609002f337fbf8ad654c2718f392d59350e2a1744ac8f14
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.7MB
MD5f7e0cfc2f16d4a6658701c800362a846
SHA1844e9060612edb1c408dcb26390fc5bf860aff50
SHA256a9dd3606e95cfe2584fbd8c080505ead92ba01001b9b9fc3ab0ec4b693ce55c6
SHA512e8afb4728d4cc8b6158c1bef7f4ed15618f0301f370b3ea8518f8ea99aa768431bec567e588dea0074124f223ce1626e14a5b7be05590e4a3311adff85313b9d
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
581KB
MD56a429dd33536747482d36741d515b324
SHA1a2e02b8121bca43f68fccbc15c29817683984bed
SHA256e50adefc64260f1dc7dda815caf71c0aef50ba29fa2a81eddcd1ebc7df2b4cd3
SHA5127aa9b77cf7fa1c5e48cca299a8f3c46a84787c0a3774153dd37b80e59fb39a650ad3fc895dab2468731d0a6c51a21d259c8c0983054d741def7a88cf595b9008
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
581KB
MD5f7ef9a5d3aba892a3daa0bb0281ff815
SHA190e5248e253d1851e4f5a08dc9928c836bcb5716
SHA25615342f10efcbfca97b898cb301f0408fd2ccf5787e070e415fad38db08d44df3
SHA5127705f6154b2ed4b90a19a4dc1e25e15fd26d5acde81e1ac70d5f0451c7896c532ea46e40cae99cb272973872e0a91b90d518a6e64a76a564fd8880852178594d
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
581KB
MD5b6b0a7961444c530d971b65c46dfcdc8
SHA1acf4f5087255fb0939e32722a48df376536f9867
SHA25644e1033c7fec1e38865e6af69adaa05ba62c053574b89167f4f60a719a458f3d
SHA512e110c969be7df083cb41143abf6a672eec50980892b20cf04c62dc3b79eca7cdf781e9b5b8f615e8aa7c52adc5eefbf7e88c84069cc099469abe7054ad4354f2
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
601KB
MD51e48be168dfdbfda69d4517869232a6b
SHA1bc3a8a7dcf6a750b194969248d3a1762aff08e96
SHA2566a00ebfa5caecff97a68c28a3b2affc99a03e4b9e2b962ec2ed3984f49f73f7d
SHA512e628372b102f8d7e6e0801036a58de7be4a7983566e3d8da555bcfb6363b6c7ca52ec38c63a683cfbb747f783f522a0778982e7729272aeee1ad5763f4446a15
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
581KB
MD5a456d9199b499fb467a9c2574a657b11
SHA15aaecf476b66922d74673122a08fb85c96bc4495
SHA256cf0d836a33d467755bb31c4c8f2e7316671de19ebb6b5881cfcac290aa1eb69e
SHA512a9f0e9bf643679db15fc9ea01ee9c37abe285a30809a9f2c2beaddcb1791cf1897d167cd353f8e6d24a47e44a86cb66f5c7b2c44101af727de3378d317f15194
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
581KB
MD575eb041fc2c37ad6a30ac4e0ebcd55f9
SHA13da97d5587f7f5c4a408c381026030bd6e7bdea0
SHA2567a6d382293fb4dcbb40338e213ec7009b9dbfeb6fca4bcbf53f4e759f9a4b1ca
SHA512df4438656680dd682090c5222f8bad90f381d971cd24e9df2e6334f520e2b24779b7face96a853b0eee5f9db8c69f56d9886415cc7007d67d7621fe8c5d576f7
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
581KB
MD5e6b4a1c79690d08ace64a9b8b9a65eb0
SHA17242c24259e6e7eb7cf453eba09f9188d558a4ea
SHA256401d006c466633a1be667aaa8d7652e4e8744a35209f0349266616dddfc53a2c
SHA512b7ef800bea17b9c27ecf8c9c0e825bd5b8c73ea2da06487a17d1e90c4eec3e5756bb2cf90facd3e06544a685503bdc2afda51738e528d00a849d6b4fc193e0a3
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
841KB
MD59b84a8273c5d5a83cb38b39614d093fa
SHA191ce8c408c6c299bc628523a7c282e91c8ae6837
SHA25662ed22dc3a38aa4527e088191c3edf484d71244d51f543c9c7117f7ce37c6526
SHA512683f932dfc54449bce15524da58e8f9d9403e40b25d2491452ea64b4e4d8ff446d377a3a90b64d6ca253920d65de2ae00e0362f17ed562357c28ea91aae2c3e0
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
581KB
MD5db9ce3f02bd000ae4d1326e5781c644a
SHA1958c04beec006e5b49a258432d6ce64a3125201f
SHA256ca8f63d8d008b8d5e8b27baba278dc64a3595312041af4fa5b48cda8776b37ae
SHA51247ce06bc313296caf5ce3d24107f07958796f36f0b545a80c10ce90f980851e50c3087d40aa29b4a733a5c5d8fb3dd863d93cac006fcd73505d9fa8d759e2640
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
581KB
MD5eed12f049030779acb9642a33c9d5168
SHA18071b928f74c561c09e93eff2a82d7586ce32e38
SHA25677cf4e7ca3c1b968e615cfe370804c7a256311c0384813e71908af0d00e40cd9
SHA512b6ac3ae3afee6b69b06b2202accbabf5e8bef62747237808624d14021886e0c8cdf1949c07e5c4a5a78186683cdc563108dcb08f3b06359906bf500af0c8dccb
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
717KB
MD5752247964b166c2fff1fd8cbf6402374
SHA15c6711aa1d37e1ac08391f94bd2c2aa3279879b1
SHA256f261b6b3e45870a6ecef2bbec8f2fe8f7c01d228cd16bc07014026c2cba55a55
SHA5122e560d239b36ef827b307928011a03a7139b3a7189e2545c6d1dbbcce3a2a4adc042303569e1be643c678a92bc9ec2ee31cc6b254ac0d3bbc44702fda7edeec2
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
581KB
MD5f17a1fba936c613c449792c86feef7e3
SHA1e82f0f909baec0d200de83b02a69a78845a7c070
SHA256282466238511e899d626d9d356af82c1823fd7d1b8c7fdc4107e9ba1e616044f
SHA51248d77d1c86ee999e1fb2d4a77e1fbffca27790cbe261f06489aeb6812366b0a761c442f724e364ef5757abe1760d4294908079cb0470e58e37d3926d067a7b80
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
581KB
MD5300cdcf60d8063546e2e953082027df6
SHA174a3841cdcd4be9255e8eaeeca6ab940dbe72c84
SHA2568261fc92417ba5ddafe74ef0321ec84945e972de29fe16ce5c452fbcf7bc0092
SHA51269d424f498e611bbb8c5124640249684976dbcf89144858e2293c84b117b21e5b7b6120e4921c5df93f89e6729e2b4e5e1803655eeb15485e9930969a40c77f1
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
717KB
MD563732732182c843cb32560ee2ff41986
SHA19d6871cedc13a521ff060756cb3835604a72e00f
SHA256a3a750578af7d499499cd7e3d8b267eacb4a65e3bb6a319f3e0c0732b2ea3250
SHA512c252274b7e02dc3689684f75581db384dc0808242ca4f1bbf942b62807f8ece8cdf265a1ead04c3e24d1c1f51f3bd2b1872c04d08b6cf286dfac44b827db74c5
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
841KB
MD563ae8db2121a3ca6d07ee898a7b10627
SHA104edbad60bfe1fc50659fb06150703a22877c749
SHA2563230f02bc9ff6a6e3fe55c0e92ad3b33fccf52fc1dab0f6774faeefac8e774f9
SHA51238259bad50457475427bee5f21069f2c76e0e37ed560b135527d4c6a411400d88ba53490c15f2a8d20676e75a0ef181afd1f91d0f896dbf92b995a0e3fe6f9e6
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1020KB
MD5164a60b108adc8b3ce2c20b01a1e3228
SHA1e8cd4d7a4db79d0a98c68ff57e304630b6d64c63
SHA2560ba6896bf46489fe72bcfd8515de678a95299f29e29d9ae907506bc43d9b2780
SHA51264d55b020492203c58cb2aa28299ba0dfc98d025ee8cd80f4b1b9e8e8ddd8e2289b23c66e9b324e88dba107eddf89faca5f60b65d3fa3c6544b6c4d0eeff9ae9
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD5d9c2eabdc81f056e5bf357850bf4b6fc
SHA14d05676de5d91f9c21e1d2f503fddc6be70bfd48
SHA256b3e26bd6e86d3439d6f8adfd93a99b7dc151feb0c33ecf56319093d4f5806a8c
SHA512e204b5cadf9f63ffc02b5a995c3d5c8c5c992c913c424b2be5059d29cfcd3237961c06b6bfc4bd8863a68616584435495065d27a37515bc2237f92b88e1d01c1
-
C:\Program Files\dotnet\dotnet.exeFilesize
701KB
MD5ceb4a954231afd775ee0d22f24f54bd9
SHA152ea2d83bdde81fc7c69eb347114014c51df6850
SHA256d9edfdec181c16f65ca9be79105bca5a1bc0a5e7a025891e611e7fe59590d80f
SHA5120288ab30818e532841a870304a9da56aee638a68e6af5a69565b410c8fab1a454c954dd49c583c477e2973330af7359c12d0ba5ee8124248b3dcc0d8e3a30b54
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD5d130d7467ed55afc49ef04860b6d7c29
SHA168fd42861aa4a9d57bc57705f3bf4d8f9bf1adfe
SHA256f45d6f972e1f83eba37a74a34ad5364590532262648b42455d4747f8ac32d2e7
SHA5125aa4af56c2aae1fde6c59c2964bc2c044d1bb9cde55c1b0148178eebba74b2d1b85a542f83a442eccb854af074491b112895b27ebcb38ef70f63580581f94c19
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD59c5c704c56e5d2bc7558847801d66c0e
SHA1a5e8d20874541884ffdc992c453edbabc96c742a
SHA25669ea76e1bda33ec11b731da9a4e94918fff734ef28f5cb1998491d31e5f94470
SHA512e32a4397616c0b6542d5b852d1a833855918ba52300a1a911505b4fce8dae272395d7a27574a80f5475ab046bbd7c3d41584eae2723f08f351c31e4e3c2205a9
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD5653b25e3bebbda6d62e1e70ba0ca2f16
SHA1b1bff8a8ae41b5c22f187a10009ab991ca99bb79
SHA2566aa81c29f71d8577ea5fa632336132dea4a66145218ee7da5d0def8c91a20ff9
SHA512ca41aaa125b9ed3a61288bb81b82845acf6ed7d4ce55b2f2bf18ec9f27163d99ebb5ac636b364af9a69a1702fb2b4652bd0298dc54dcb5f38862ae641dbf99bd
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD5d2ff90738262370b8b1486245515e3b7
SHA101ef53accefb5f02799cd974f87fe505a5117f40
SHA2568d72e5f437d898219adac830d4ced4f8a6933424b634ad96d9e18d2c9bd43926
SHA512b86b2e4b8df5e58ac726b0a9a5fdf49a9ffbdd6f2378a963d0327c592622e2ecc808035844e5ceb0b31606df6fe380ba8c6f1d5a3209096f7e52065e3b42c1e2
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD505610d83e6d11d1057de6d3846419a3c
SHA1247b5e993bf4fb26a0314e8e442788bff85a3928
SHA256ba6ee5bc20b8908b6c36f16b5203d0481f3121efbafbbd164532ac897da850f3
SHA5129053f2b0e8829418689c629d78d66c550097b0b57ad843783f158ea24d805ae23c2d6e0f243d492a214996ddfe427d79c3c8abc7152eab997d29758fb7504c09
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD52d0ab0c46c22214ee51f06b49a458638
SHA1f7963e9262b2b7241f2c6b3d0bb1505e99024476
SHA256d4bc050ba6e98e07ba5b94b14ae79dd0f8b890a19471c799bcbb5cda00d671e3
SHA5125c253b9fff84d5f14f6270981280ae7bb41ac76253fe18601613f8f8b1b6f7c32e1d92f958555bb543df8c10d9d8004c41053bbf9c20ddf087d6469e009f61cf
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD592b4915863d45dde4c6272c3b6e876bd
SHA155d937195d6cd4d8a9fe41712f951defbcee3bcd
SHA256f23150d629a9aaa8a08e146350716695d6223b8d1dc2d91388d0ff25198200c9
SHA5120f5acb2bc5598102bac8a854210b7f189f2915f121b0ddf2a0d9a24b61e665199877e96ba8d9db149e992e6293bef5bd350bb74ed78c1c25ae11cda9a3566fd5
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5068d7619c5061105ebb2fd28f1fac71c
SHA1f2723d9f5efa97547d757ef31dc08f77c46a1a8f
SHA25617c27f40f076c759f2cf8c01100e49b1b5ad40ad9efe39c90f8b27ffa15277d6
SHA512b94753ec717fcab5059684e7175deffb4df5c030c36061b6cd717889e1209ef1fe7a68fa86ec33d1898b9a8f4028fe03353d8c742b00bcfb724cde0247e1f19f
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5c67ea5b3faababcbb6cb36c627867648
SHA1d6b5e0bcb5d8a707103d56cab2abbd38f2e9fe2f
SHA25618a917b34854b511eb426f49bc1dfc565ae29dd9ddc21ffe1123ff31957175a0
SHA51275ca823311ff0c1e71b195cee750f2676ef3cfe7b68f9cc75f4d85d6782c29a4f22b629b9e8fb0ec24556c30816ca0c9211635a73154290c16e8f1fd442f32f3
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD502d4652a2d52cca8cfb16f23b856d2e4
SHA1a00c26b03c1f2c77655b99a2e8b896d87ed240d3
SHA256a69e4f6e822fa8720a3d1d190119dd8c6692649ad463df9ec1efe193e1947d5e
SHA512bdb5094e3dd45653a7992a550d681f394d13210dcee2738a7e35d92edb267181417c59a41d807813caba3ad84d13907bcfaf5b43d0c9f14dbf76686712be2399
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD518b801375638c6561902a8f82a9b9f28
SHA11933c8aa54a2839822f66c3e2765ef904036a93b
SHA2567c8ae63153f8d80fb2bb6ba4d29e19af57f9d0375e7ad27d7fc158d048e12229
SHA51217fd68b75880b8e6abb95412dbc6d9e239ae5fc4bee7c1a841bc689904434ea59a12e3d50358eb0ccd82e8e9934735b7862a02022fe71a602f2c4bea3ed06adf
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD59ec5b8a0214dc985051e6fddcc9e13b9
SHA1ad22a04590ae0f60746a21056591563f2c36b7b6
SHA256bed0ab4da3ba154ef443695a9197860d1a8332b17ca1589f664393dea6f9dfdd
SHA51210c6f5706caa231a533073c99f378e353458a0474fd9fc42fb29a06f7fa2490b64797a078a39cb0c1378fbf37e30c3079f1f41c4641a9b4e05105152fe1435fd
-
C:\Windows\System32\alg.exeFilesize
661KB
MD52f62231a81b29e1fdcece04338e8f295
SHA168f3c0583e76659c401fab5ffd94e497b4b0b728
SHA2563d447ddab010ddc3df4add1cb7e6baa7199979ff345ab5375ca0ddb21ae58b25
SHA512fdb74be835136119c2a3b73eaf3029116564d036909db71d01480f21dcdccfef167bd64583db2bcce3ebd5b452f970b535ce5411507bdaf5f7b877192284b5c4
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD5de0351da786ce12abecd62563da18fd6
SHA11e9e0c724581ebcba76d99f253d14457a6d09952
SHA2569a2673c1b25c0a5601824ba46d3aaf470774499400f859718fc285ec304b22d3
SHA51296877d2fbf8c0f203253a2887db3921f0cefb322add87be66961c9c852ff488169d6ab61022f7fa73a0c994d7fbc794c535af7cc871fed9bf0bbd33c6f147ac0
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD53c9199b669c5af4d78994be9d099bc3f
SHA1ea8d5f7e9523accee19db63c5ff90f71e179a9b4
SHA256de52c25db46fb2bdeeac9bbbcef0908401a3db7a59a201d6673fb49a168d22ba
SHA512c3da916acca1d0e8ce024153163d304666733f6eccd2c01947416ce527af7762fcbfbc1504ca4f4ffa4ef758493c82cc580c3e09df110c963921fa4be3f7f19c
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD56610a710d9740d0addc82acda65ce5b4
SHA1022330d9f6c9678075eec2ee5d7b2ec5bc37958e
SHA256b516971996df0bce7826fb58b8eff745a639c8b29342117d75e721903e3011ad
SHA5121f6a7837021a02cb035355d1c52835d60aed05debfc45cfd388b5c3ad3d28d318a0e68400271f961fa1dbbbdc50f0d4c7792bc2d8f3adeda33afe49fddf6be52
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD53609a4bcbc5fb5ea96665dcb21a3842a
SHA1fccb5d5021184373d0e8884e2a3482cae790919b
SHA256a68258656a7f1365e71ab80d76f2945ded76442b62d9b47d1e041a0eda27330d
SHA5121ca16e719850ad4a5ce3c10b92cda92d349feab2876cc9eb18d34594e2a341ab340463ed2918e7105399dceb1d3eb84abe644c502f61d670cd8b344988321687
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5c925e3928883db8c9fb5fadabb0be3e9
SHA14589eee09b93dc4cd6b897ff4e273912cbbd3704
SHA2569fd3db6a5fb4956197989fbb43637ce6d5b5ea200bb57ea9ce774499771c90dc
SHA5126947b6c647c29fed8d33fd9fbcae4cb40e06401cdb72bfe2815ce3cec0d2d25bb90251cc990989f2e73a2751008562c872041cfe05b95aa3a87f78560f51b35b
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD58299b982845d676ad6363fad110e647e
SHA152edfdb874038dbe9f4d7713e1fec0996d887b1e
SHA25647ced93d7b9855f65692e5b244696b8a8454cc13b94c37b28ec4f39261a886dc
SHA512d66d76ba31bbe3c7407a63344aa98fd715781077ab918930db9e603f6f34f1b8ede0db34576b4f71e8be5b6fec9703ed85abbf2720dbc959ad6a2aae137eafbe
-
C:\Windows\system32\SgrmBroker.exeFilesize
877KB
MD5bfa546c05af813b86c7e67b3a8eb8af7
SHA1b96664cbf7ca57e9b6c5713e4e44da6346e5c87d
SHA256fa6a3cd64b6f95401c5a8df0cfd07cc2cc0d2c0bba39b44206789b284d31bc2f
SHA5121dd837811cde9d41c0cfd63c9380bf9367846e5be4d77439b70aedc322c268d8afcea04762afddf72ba546202dd6b69c6263e9ce016a105337912baf8bfe9c54
-
C:\Windows\system32\msiexec.exeFilesize
635KB
MD53550f17173dd5963c2d2eb9a59b720dc
SHA1873efa9d9108a121547cb0262e63bc75a0baadca
SHA256302b16e40c18645dc648c84c864a51f6e95132a79de18c08ee7b605b571b4c9b
SHA512469da2fd401dac914c6da888cb1d33ff652bd2b12997ee3e14d231c995167f546cf7b1e19693616edff564ffbf88a69961fcea0f14163aa436f492daefb1ca0c
-
memory/452-41-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/452-28-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/660-144-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/660-483-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/784-152-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/784-484-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/1288-143-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/1288-31-0x0000000000D60000-0x0000000000DC0000-memory.dmpFilesize
384KB
-
memory/1288-38-0x0000000000D60000-0x0000000000DC0000-memory.dmpFilesize
384KB
-
memory/1288-37-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/1492-81-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/2436-148-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/2436-150-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/2460-13-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/2460-116-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/2920-156-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/2920-487-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/2980-481-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/2980-140-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/3156-90-0x0000000000500000-0x0000000000560000-memory.dmpFilesize
384KB
-
memory/3156-84-0x0000000000500000-0x0000000000560000-memory.dmpFilesize
384KB
-
memory/3156-97-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/3612-72-0x0000000000710000-0x0000000000770000-memory.dmpFilesize
384KB
-
memory/3612-155-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/3612-78-0x0000000000710000-0x0000000000770000-memory.dmpFilesize
384KB
-
memory/3612-82-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/3632-384-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/3632-122-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/3648-488-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/3648-160-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/3716-100-0x00000000004A0000-0x0000000000507000-memory.dmpFilesize
412KB
-
memory/3716-159-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/3716-98-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/3716-104-0x00000000004A0000-0x0000000000507000-memory.dmpFilesize
412KB
-
memory/4500-15-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/4500-24-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/4500-23-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/4672-1-0x0000000002340000-0x00000000023A7000-memory.dmpFilesize
412KB
-
memory/4672-0-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4672-6-0x0000000002340000-0x00000000023A7000-memory.dmpFilesize
412KB
-
memory/4672-108-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/4912-110-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/4932-65-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/4932-54-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/4932-55-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/4932-67-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/4932-61-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/5220-168-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/5220-490-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/5420-113-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/5420-167-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/5420-482-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/5428-49-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/5428-51-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/5428-43-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/5428-147-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/5740-358-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/5740-117-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/6068-489-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/6068-163-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB